back to article NSA chief leaks info on data sharing tech: It's SharePoint

The NSA has admitted that the organization's use of Microsoft SharePoint allowed an unnamed sysadmin to leak information. In what can be perceived as either a ringing endorsement of SharePoint's "collaborative power", or a depressing admission that, yes, spooks use the same infuriating software as we do, NSA chief General …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Americans can be counted on to do the right thing - after exhausting every other possiblity.

    Sadly I'm not there yet.

    Keith Alexander.

  2. Brewster's Angle Grinder Silver badge
    Facepalm

    Geek anthropology 101: geek's interfere constructively...

    "...measures the NSA is introducing to make sure that sysadmins cannot leak information to the public, such as working in pairs a..."

    I think that might backfire. Most lone sysadmins wouldn't have the gumption to pull a "Snowden". But a pair might egg each other on. You can imagine the conversation: "This is really heinous stuff these spooks are up to." "Yeah, man, totally heinous." "Do you think maybe we should tell some one?" "What, leak it?" "Yeah, leak it." "Totally, let's leak it." *high fives*

    Trusting one dumbass sysadmin is bad; trusting your sharepoint server to Bill & Ted is a whole afterlife more trouble.

  3. Chemist

    "on the SharePoint servers that NSA Hawaii needed,""

    They really deserve their hardship pay !

    1. Sir Runcible Spoon
      Coat

      I thought they weren't supposed to use Hawaii ?

  4. Anonymous Coward
    Anonymous Coward

    Sharepoint isn't the only thing they use

    There's also an information sharing system called A-Space which the analysts and some collectors use to collaborate, its compartmented of course and all distribution is limited based on cryptonym and distribution caveats (NOFORN, SI, etc) but it is rated to handle up to TOP SECRET information and is located on the JWICS as well as the NIPRnet and SIPRnet. NSAnet (also on JWICS) gets used occasionally for the same purposes too, but other agencies (even some parts of the Service Cryptological Elements and CSS) have no access to NSAnet whereas they do have access to A-Space.

    Given that nothing Snowden (who I'm assuming is the "unnamed systems administrator" General Alexander was speaking of) has released carries a Top Secret* classification, when a great deal of the meat of the program undoubtedly is, he probably grabbed it from the Sharepoint network location at NSA Hawaii and Ive never heard of a Network Security Officer being able to connect Sharepoint or Lotus to JWICS

    *-Snowden claimed that he has it but refuses to release it. Given his distinct lack of scruples and willingness to break the law to suit his ideals, I don't think that's what stopped him. He probably just didn't possess a TS-SCI/SAP clearance which he'd need for JWICS access. I might possess one, and in theory its a real bitch to initially get and very difficult to maintain. The Single Scope Background Investigation is the easy part, the excruciatingly hard credit check (they know if you've ever been late on a bill, anywhere at anytime, if you've ever bounced a check, even if you've ever replaced a debit card, all kinds of crazy shit), plus the Lifestyle and Counterintelligence Scope Polygraph examinations are the harder parts and they tend to keep the numbers working in Strategic (or Level Above Corps in Army parlance) Intelligence collection and analysis pretty small and the number of people working at a lower level generally much higher.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sharepoint isn't the only thing they use

      A NSA apologist whining about 'lack of scruples' and 'willingness to break the law'. Hilarous

      1. tom dial Silver badge

        Re: Sharepoint isn't the only thing they use

        Is not the question of whether NSA broke laws more a matter for the US Court system to decide than Anonymous Coward commentators on a tech news website?

        Downvoted for arrogance and tone.

        1. Sir Runcible Spoon

          Re: Sharepoint isn't the only thing they use

          "Is not the question of whether NSA broke laws more a matter for the US Court system to decide than Anonymous Coward commentators on a tech news website?"

          Yes it bloody well is. So tell me Mr Smartarse, why isn't this happening?

        2. hplasm
          FAIL

          Re: Sharepoint isn't the only thing they use

          "Downvoted for arrogance and tone."

          What a coincidence. Have a downvote.

    2. Destroy All Monsters Silver badge
      Facepalm

      Re: Sharepoint isn't the only thing they use

      > There's also an information sharing system called A-Space etc. etc.

      More acronyms and kewl buzz than Calvin can come up in an afternoon of dwelling in the house of club GROSS ("Get Rid of Slimy Girls").

      You guys really need to have the keys taken away.

    3. Anonymous Coward
      Anonymous Coward

      Re: Sharepoint isn't the only thing they use

      "Given his distinct lack of scruples and willingness to break the law to suit his ideals, "

      The same sort of thing was said about:

      The suffragettes

      Those against the slave trade

      Black civil rights protesters

      Anti-Apartheid protesters

      The French Revoloution

      Ghandi

      Forest Dwellers of Borneo

      Syrians

      Egyptians

      Irainians

      Jordanians

      and on and on and on and on and on.......

      1. Anonymous Coward
        Anonymous Coward

        Re: Sharepoint isn't the only thing they use

        Forest Dwellers of Borneo

        Probably the best band I ever heard.

  5. Don Jefe

    Doesn't Matter

    It doesn't matter what system they're using, not securing the system is a serious failure. This guy is just a failure all the way around.

  6. Anonymous Coward
    Black Helicopters

    With all due respect..

    "The NSA has admitted that the organization's use of Microsoft SharePoint allowed an unnamed sysadmin to leak information."

    Bullshit.

    It's not the use of SharePoint which allowed this sysadmin access; it's the idiot administrator who gave him access in the first place.

    What is this anyway; an attack on Microsoft to try and restore their reputation a bit? ("You see; even the NSA doesn't like Microsoft. Surely the NSA would like Microsoft if they had just rolled over?").

    Obviously the black helicopter.

    1. smudge

      Re: With all due respect..

      Absolutely. It's not the use of SharePoint, it's the fact that he had access to the data. He could've been using a snow shovel to move the data - that's irrelevant.

      Always assume that a sysadmin can - legitimately or otherwise - bypass any technical security in the system. Then assess and manage the risks accordingly.

      1. Anonymous Coward
        Anonymous Coward

        Re: With all due respect..

        It's the fact that he had access to the data.

        Perhaps it's that the data showed illegal activity and he let *that* be known.

    2. AlgoRythm

      Re: With all due respect..

      Actually sharepoint seems to distribute permissions much like a Santa in a Xmas parade. The hardest/best SA efforts to secure it are brought low when inexplicable hidden sticky permissions suddenly - and without logging - grant temporary admin permissions to clueless content contributors.

      I bet foreign intelligence operations had admin permissions to that host before the NSA senior managers could even smugly browse their first report.

      Forget Snowden...the idiots who bought Sharepoint for the NSA and the Microsoft sales weasels who lied through their teeth about the actual auditable security level of their product should be charged for aiding and abetting the enemy. Snowden at least was on the side of the public at large, while those weasels were operating purely for the sake of their greed or laziness.

      1. Anonymous Coward
        Anonymous Coward

        Re: With all due respect..

        "Actually sharepoint seems to distribute permissions much like a Santa in a Xmas parade. The hardest/best SA efforts to secure it are brought low when inexplicable hidden sticky permissions suddenly - and without logging - grant temporary admin permissions to clueless content contributors."

        SharePoint permissions are straight forward and easily managed. It would never 'grant temporary admin permissions' - either you gave them admin or you didn't. Logging is also up to you to enable / disable.

        i.e. this is purely a lack of basic competency on your behalf...

  7. Crazy Operations Guy

    "As you may know, sysadmins need removable media to do their job," Alexander said

    That is utter bullshit, over 10 years of managing a datacenter and I've never needed removable media. I have a network boot server that is just loaded with the DaRT toolkit, WinPE and a bootable OpenBSD install. Anything that can be done with removable media can easily be done with network-based utilities.

    1. Anonymous Coward
      Anonymous Coward

      Re: "As you may know, sysadmins need removable media to do their job," Alexander said

      Yes, because I'd plug my Top Secret server into the internet too! Maybe they could use Dropbox...?

      1. Tomato42
        Boffin

        Re: "As you may know, sysadmins need removable media to do their job," Alexander said

        @AC: You need ability to insert usb drives into machines before you setup the whole infrastructure. Once you have basic infrastructure in place, then you put Secret or Top Secret data in the network.

        Then you'd need to do it again only in the case of total network meltdown.

    2. TheVogon
      Mushroom

      Re: "As you may know, sysadmins need removable media to do their job," Alexander said

      Presumably NSA servers would have BitLocker enabled anyway, so removable media / physical access wouldn't make any difference without the correct security privileges....

    3. Anonymous Coward
      Anonymous Coward

      Re: "As you may know, sysadmins need removable media to do their job," Alexander said

      "Anything that can be done with removable media can easily be done with network-based utilities."

      Except when the network card is broken. Or disconnected. Or misconfigured. Or Boot from LAN is disabled, etc. etc.

      1. Anonymous Coward
        Anonymous Coward

        Re: "As you may know, sysadmins need removable media to do their job," Alexander said

        Why would ANY of those situations require that you carry confidential information of the sort Snowden released about on a USB stick? At MOST it'd be a boot image or maybe some drivers. Once the network connection is up the confidential data can be put back onto the server over EITHER a locked-tighter-than-a-gnat's-ass network connection or, if time is a factor due and your internet connection's just not quick enough (or you suspect your LAN is compromised), by a trained and trusted team of specialists carrying a spare HDD or two in a magnesium-and-flashpaper case- drives that can be copied onto the computer locally and then dumped in the 'to be thermited' bin for immediate secure disposal.

      2. Crazy Operations Guy

        Re: "As you may know, sysadmins need removable media to do their job," Alexander said

        "Except when the network card is broken. Or disconnected. Or misconfigured. Or Boot from LAN is disabled, etc. etc."

        In any of those situations, all you;d need is a screw driver, the keyboard or a network cable.

    4. oldcoder

      Re: "As you may know, sysadmins need removable media to do their job," Alexander said

      Obviously you don't do very much.

      Removable media is the only way to secure MS from network attacks.

      Removable media is use whenever there is more data than what will fit on disk...

      1. Anonymous Coward
        Anonymous Coward

        Re: "As you may know, sysadmins need removable media to do their job," Alexander said

        "Removable media is the only way to secure MS from network attacks"

        Erm - so what would something that has far more vulnerabilities - like Linux for instance - need then?

  8. Gus Fring

    "given the BuckShot Yankee penetration in 2008"

    Well played indeed Sir. Hip! Hip!

  9. John Smith 19 Gold badge
    Joke

    Shareoint gets lots of new free penetration testing.

    Now it's known at least one servers has some goodies worth stealing.

    But seriously.

    Removable media support on NSA servers as standard?

    What does this organization do again?

  10. eLD

    Unpopular opinion

    I feel like I'm bucking the general trend here of the comments and about to be shot down. However, I actually agree with the NSA chap that the decision to use SharePoint was an extremely large reason for administrators being able to leak information.

    I know nothing about SharePoint administration so I am expecting to be shot down in flames, but to have just a few basic thoughts on how I might design a security focused collaboration tool. I'd probably ensure that all the content was stored and served up encrypted. There would obviously be no need for someone with root on the machines serving content to be able to see the unencrypted content for backup or permission related issues. I'd probably delegate the actual job of decrypting the content that was being served up for particular user tokens to separate servers with more restricted access that only managed decryption and re-encryption of "resource {token} stored on source {token} being requested by {token}" to separate out and simplify the authentication job and limit the attack surface of what actually matters if it is compromised. I'd also probably split up keys storage into a number of different and disjoint fiefdoms under different control and use the academic research on byzantine generals problems to ensure that it required a majority of systems (and people) to be compromised before information was leaked beyond the intended targets.

    The point I'm trying to make is that the design of a secure system for the NSA would seem to be very different to (my imagination of) a simple microsoft collaboration tool. It seems they were remiss in going for the easy option and not putting the possibility of spies at the heart of their IT policy. And thank god for that, now we know what we always suspected. :)

    1. Anonymous Coward
      Anonymous Coward

      Re: Unpopular opinion

      Windows / SharePoint supports full delegation of access rights (unlike with Linux). So you can indeed give 'root' access without being the user able to access confidential data.

  11. Anonymous Coward
    Anonymous Coward

    Epic fail NSA!

    The problem isn't really come from any technology people use. That's all about awareness and security management applied to the system. I've recently done a penetration testing on an internal SharePoint environment for an international airport and seen there are lots of issues and threats the SharePoint administration team were making themselves. For example, the password is easily predictable. There is no policy of password complexity ever on that environment. Another example is the use of All-in-one account for all things (services, server, whatever). They didn't apply the latest security updates for the SharePoint system. Well bum! they absolutely failed in SharePoint security.

    I have to agree about what someone above said: "Not securing the system is a serious failure". Do have plan for hardening SharePoint using industry-accepted standard such as PCI DSS, penetration testing monthly or so on. Don't rely much on the technology, looking into the human factors is worth spending some time on.

    -T.s

    1. Alan Brown Silver badge

      Re: Epic fail NSA!

      "The problem isn't really come from any technology people use. That's all about awareness and security management applied to the system."

      The (flawed) assumption is that people with access to the systems have authorisation to do so.

      This same flawed assumption is seen in BGP4 - which has been locked down a lot in the last 20 years - and in the world's phone number routing system (which has not and is subject to repeated hijackings even today - if you think bank coverups of security botchups are common you haven't seen anything.

  12. Pseu Donyme

    "A huge break in trust and confidence"

    Indeed. Fortunately there was this chap with enviable intergrity to blow the whistle on it.

    1. TXITMAN

      Re: "A huge break in trust and confidence"

      Secret laws, secret courts, and secret budgets equal tyranny. We need to charge and lock up the people that have taken our freedoms.

  13. Anonymous Coward
    Anonymous Coward

    Complete crap.

    So are they saying that NSA Hawaii isn't linked the rest of the NSA? That's the only reason you'd need to have bill and ted copy content to a USB stick. I can't copy any content to a USB stick in my workplace, which isn't the NSA that's for sure. Don't want your content copied then wrap some IRM round it, turn off the USB ports and any USB sticks given out are taken back and scanned for suspect content. Oh if it is on your network you can move content between farms by publishing or even migrating content plenty of tools to do that.

    And bill and ted still can't copy it to a USB stick.

    Don't blame the software cos you don't secure your content properly. Don't blame apps cos you never read security for dummies.

    Finally clue is in the name it's called sharepoint for a reason.

  14. Henry Wertz 1 Gold badge

    Seems there are several problems...

    Seems to me there are several problems...

    Well, problem 0) Good thing the NSA is so lax with security so people got definitive evidence of their illegal and unconstitutional spying programs, instead of hints of their existence with people saying those who believed these hints needed a tin foil hat. Of course, most people still do not have the proper level of outrage here in the US, which is damned unfortunate.

    1) Yes, Sharepoint itself is a problem. It is extraordinarily hard to secure, and make sure it stays secure, compared to, well, any sane system. It's easy for Microsoft apologists to just say the admins hadn't set it up and admin'ed it right (which is true) but see AlgoRythm's post for insights into the kind of pain an orginization brings itself by introducing Sharepoint in a high security environment. Don't get me wrong, any system could have been set up too laxly and permitted leaks like this.

    2) No, admins don't need removeable devices to do their work. These systems should have had USB stick support disabled as far as I can tell. If there's some exceptional case, then the stick should be issued on site, and the admin shadowed until they relinquish the stick (which would then be erased and ready for next temporary use.)

    3) Of course, this lax of security makes a good case for NSA's illegal and unconstitutional spying programs to be shut down... even if you're one of these weirdos who thinks NSA should be trusted to do whatever they want with no oversite whatsoever, to me this demonstrates that even if they have the best of intentions they are still not trustworthy enough to hold onto my private information.

    1. Anonymous Coward
      Anonymous Coward

      Re: Seems there are several problems...

      "It is extraordinarily hard to secure, and make sure it stays secure, compared to, well, any sane system"

      It's actually very easy, flexible and powerful to set permissions in Sharepoint. Just because you walked up to it without any training and expected to be able to do everything without RTFM doesn't make the product the failure here...

      1. danbi
        Thumb Down

        Re: Seems there are several problems...

        Please, AC. It has nothing to do with following the instructions in the manual. Also "very easy, flexible and powerful" has nothing to do with "secure".

        If you were so confident in what you say, you would not be a Coward, too.

    2. Anonymous Coward
      Anonymous Coward

      Re: Seems there are several problems...

      @Henry: Your post would have a lot more credibility if you didn't use expressions such as "Microsoft Apologist". It detracts from any message you are trying to get over with everyone except the most anti-microsoft, who were already there before you in any case.

      I use FOSS every day at home and work, I also use COTS from pretty much all major manufacturers. I saw the expression "Microsoft Apologist" and skipped to the reply button.

  15. Anonymous Coward
    Anonymous Coward

    Another Ballmer ballsup!

    Imagine if NSA gave their whole data center to M$soft! Xi Jinping sends his thanks and will stop by in seattle with the cash.

  16. Don Jefe

    Contracting Core Competencies

    I hate buzz words, but in this case 'core competency' is very applicable. By definition the NSA gathers and keeps secrets, that is their job. The management of the systems, and their secrets, should never have been contracted out. That should have been handled by internal staff with proven loyalties, not handed off to what are, in effect, mercenaries.

    I'm not knocking contractors as a whole, I did my time too, but when you don't have the internal staff to manage what you've created something has gone terribly wrong.

    Something not discussed much in the whole NSA/Snowden mess is the catastrophic management failures inside the agency. If the core service they provide is so out of kilter I can only imagine how bad the unaccountable financial clusterfuck must be.

  17. JaitcH
    WTF?

    If Snowden was wrong about NSA operations ...

    why is the NSA reviewing it's collection and storage of data and adopting the EU plan of common carriers doing the storage?

    Wonder what other Constitution breaches are under review?

    Snowden deserves a Nobel award for this, at least he is more deserving than Obama.

  18. Msnthrp
    Flame

    Amazing amount of BS

    Reading the comments, it seems only two commenters have any actual knowledge of what goes on at the NSA program. The remainder speak from their vast store of ignorance and ill will. Then there are the persons of such vastly superior intellect that they are able to interpret "unconstitutional and illegal" behavior better than SCOTUS and the FISA courts. And don't forget those whose response to others with whom they do not agree is always the infamous ad hominem attack.

    I seem to remember that the telephone company collects your phone call metadata and uses it to send you a bill. Some ISPs monitor your internet usage and send you a bill. NSA collects phone number, phone called, length of call. Stores it. At this point, it is No-Name data, less than your telephone companies gather. Some other authorized agency decides they need your data so they look in the PUBLIC telephone directory or get the address online, get the FISA court to authorize the release of data from NSA, nd NSA complies with the court order. Linking a name to the metadata is done under court order, as is further processing.

    It would be physically impossible to actually listen to and record every telephone call and every internet message of everyone. How many zetabytes of storage would that require? How many people would be required to listen in to all conversations? Try to think logically for a change.

    As for Snowden, he has admitted he deliberately wormed his way into NSA in order to find evidence of things he did not like. That is almost the definition of a mole spy. He undoubtedly considers himself to be a righteous crusader. I consider him guilty of Treason.

    As Senator Moynihan said, you are entitled to your own opinion but not to your own facts.

    1. This post has been deleted by its author

    2. Don Jefe
      FAIL

      Re: Amazing amount of BS

      You, on the other hand, seem to be entitled to your own facts and your own brand of ad hominem tactics. Congratulations! I guess...

    3. Peter 82

      Re: Amazing amount of BS

      I've got two issues with your point of view and one issue with your "facts".

      Fact first. Any agency that needs info from NSA or the NSA requesting info from its own servers does not require to go through FISA more than once. This is because FISA has been granting over wide "warrants". In the UK courts you are supposed to make a new request for surveillance type information for each "case" or "person of interest". FISA seems to have accepted "all info pertinent to the search for terrorists" as a valid request. No real limitations to this.

      I agree that no one is looking through all the data. I very much doubt that my phone calls/ internet searches/email are being read by anything more than the equivalent to Google's Spiders. However, the fact that they can (and probably are) looking at all of the phonecalls and internet searches and related information that they can get their hands on for some people worries me. This is because I don't want the NSA to be looking for blackmail-able material for UK Judges, Journalists, politicians, company managers etc. Oh and their families (If I can't blackmail the PM, can I blackmail his cousin/nephew etc).

      TL:DR Just because my info is not of interest doesn't mean that the info they are looking at isn't actively detrimental to my life/sources of info/access to justice.

  19. This post has been deleted by its author

  20. ecofeco Silver badge
    Holmes

    Well, see, it has the word "share" in it, doesn't it?

    You are paid, how much, General Keith?

  21. John Latham

    The real letdown here...

    ...is that our Matrix/Minority Report-style tech fantasies are brought down by the crushing realisation that twelve years after 2001 the spooks are using the same annoying point-and-click shite inflicted on the rest of us.

    I haven't felt this demoralised since that woeful "THIS IS A UNIX SYSTEM" 3D file explorer in Jurassic Park.

    Green screens, 3D gesture recognition or GTFO.

    1. Anonymous Coward
      Anonymous Coward

      Re: The real letdown here...

      Are you suggesting that if everything was done on the command line, there would have been a problem?

      1. Anonymous Coward
        Anonymous Coward

        Re: The real letdown here...

        wouldn't have been a problem, that should have been...

        1. John Latham

          Re: The real letdown here...

          No, I'm not suggesting that. Let me try a different tack.

          In the 1940s we had Alan Turing and Colossus.

          Seventy years later we have Steve Ballmer and Sharepoint.

          Maybe this is a PSYOPs campaign designed to breed overconfidence in their enemies.

          1. Anonymous Coward
            Anonymous Coward

            Re: The real letdown here...Turing and Ballmer

            Other than that Alan Turing didn't work on Colossus and Steve Ballmer has never, I am sure, worked on Sharepoint, what is the connection?

  22. Anonymous Coward
    Anonymous Coward

    We need better vetting

    People like Snowden should not have been involved in the first place. The root cause for me is involving too many outsiders. The intelligence network should be tightly controlled like in the old days.

    1. Anonymous Coward
      Anonymous Coward

      Re: We need better vetting

      Yup, the good old days of Blunt, Burgess, Philby and Maclean. The British Establishment made sure that there weren't too many "outsiders", thus ensuring excellent security.

      When it really was a matter of national security, i.e. WW2, the "outsiders" who had to be recruited kept the secrets very well. The answer, of course, is to be unambiguously on the right side so that intelligent people who think a lot about things give you their support, instead of behaving like power mad toerags and upsetting them.

  23. Ian 62

    Working in pairs

    Didnt they force the East German guards patroling The Wall to work in pairs?

    1. Anonymous Coward
      Coffee/keyboard

      Re: Working in pairs

      Yes, to prevent defections.

    2. Anonymous Coward
      Anonymous Coward

      Re: Working in pairs

      No, threes; one who could read, one who could write, and one to keep an eye on the two dangerous intellectuals.

      That is actually the root problem with things like the NSA and GCHQ: they want very intelligent people, but sadly these tend to come with the baggage of independent thinking skills.

  24. Brewster's Angle Grinder Silver badge

    The fascinating part of this thread is the war between Sharepoint admins. Either there are a lot of admins who can't properly configure the system or there are some complacent admins who think they've configured the system properly and don't realise the security is shot. I have never used it, so I have no idea which is true.

  25. Squander Two

    I would just like to say "I told you so."

    Because I totally did.

    http://forums.theregister.co.uk/forum/2/2013/07/04/born_on_the_4th_of_july_story/#c_1883552

  26. SPClover

    SharePoint isn't the problem

    As someone who works in SharePoint, SharePoint is not the problem. It is yet again, a problem of correct use of governance. When a company chooses not to use governance policies that align with SharePoint's built-in capabilities, they leave holes in their environments for things to happen. Don't blame it on the platform for user-error mistakes.

This topic is closed for new posts.

Other stories you might like