back to article NSA: NOBODY could stop Snowden – he was A SYSADMIN

The US National Security Agency may have some of the most sophisticated cyber-surveillance programs in the world, but it was trivial for former NSA contractor Edward Snowden to walk off with sensitive data, sources say, owing to the agency's antiquated internal security. "The [Defense Department] and especially NSA are known …

COMMENTS

This topic is closed for new posts.
  1. Mitoo Bobsworth
    Joke

    "The damage, on a scale of 1 to 10, is a 12."

    One better than Spinal Tap, innit?

    Next on The Reg - Will Nigel Tufnel go for 13?

    1. Quxy
      FAIL

      Embarrassment != Damage

      As Obama inadvertently pointed out, it's all about "our need to maintain the public trust"; which is almost completely unrelated to any immediate or potential danger to the citizens of the US, who these clowns are ostensibly elected to protect and support.

      1. Tom 13

        Re: Embarrassment != Damage

        Wrong. Just yesterday the Washington Post ran a story about amounts of money in the black budgets. They self-reported that they self-redacted from the raw files because of the damage it would cause to National Security. It pinpoints real weaknesses in intelligence gathering capabilities as well as where money has been spent on successes. All of this is classified for good reason. Now our adversaries have it. And loathe though you may be to admit it, for the most part our adversaries are your adversaries. They're just a little more focused on us because you aren't much of a threat to them at the moment. But if they can ever neutralize us, they'll be happy to go after you next.

        1. asdf

          Re: Embarrassment != Damage

          >And loathe though you may be to admit it, for the most part our adversaries are your adversaries.

          And loathe as I am to admit it the only country talking about committing an act of war in the next few days is my own (the US). The but they were all bad guys argument may work with the right in the American public but makes the rest of the world not think of us as the good guys. The right also says we don't need the rest of the world only because they don't understand history.

          1. Maharg
            Mushroom

            Re: Embarrassment != Damage

            I think the reason us Brits are not backing the US on this one is not that we don’t think we should intervene in theory, but we just don’t want to support either the rebels or the government, we see it as a bit like Afghanistan in the 1980s with hindsight, yeah the regime is bad, but we really don’t want another Taliban type government either, and you just know as soon as the West goes in Israel is going to get even more rockets landing on them, just because its Israel.

        2. fajensen
          Angel

          Re: Embarrassment != Damage

          As a fureigner I enjoy the outrage of the American people when they learn that they are not, in fact, Special but are lumped into the same "probably terrorist"-bin as us Untermenschen!

          The funniest thing about Snowden is that while everyone are wailing about what he "took", nobody is bothered about what he put in ... and data integrity and stuff.

          Maybe that too will come when the NSA personnel file accidentially goes on the "no-fly" or "murder by SWAT"-list.

        3. richard mullens

          Re: Embarrassment != Damage

          Snowden blew the whistle on the dirty tricks our governments get up to and for that we should be grateful. It goes without saying that the activities of the state are directed at the people. Little do they care if there is a terrorist outrage, rather it gives them the excuse to watch everybody more closely.

          We can only hope that more of this dirt on our governments is exposed.

    2. LarsG
      Meh

      On a Scale of 1-10?

      What he spilled the beans on was maybe 2-3 on a scale of 1-10.

      The real stuff, the 10 on a scale of 1-10 is never put onto a computer, it's the stuff that is never recorded, never talked about and never minuted in the meetings.

      Don't kid yourself that Snowden is that important, he is an embarrassment and and irritation but would never have had access to the real subterfuge that goes on in Government.

    3. g e
      Holmes

      Re: "The damage, on a scale of 1 to 10, is a 12."

      However their security (you know, the 'S' in NSA) incompetence on a scale of 1-10 is a 25

    4. Anonymous Coward
      Anonymous Coward

      Re: "The damage, on a scale of 1 to 10, is a 12."

      "The damage, on a scale of 1 to 10, is a 12."

      OMG, THAT'S 120% DAMAGE OMG OMG OMG

    5. Version 1.0 Silver badge
      IT Angle

      Re: "The damage, on a scale of 1 to 10, is a 12."

      Interesting though, that for all the head-banging and wailing from the governments, nobody seems to have fired for creating the mess ... somebody must have been in charge of Snowden, somebody must have been responsible for the system configuration and permissions?

      1. Solmyr ibn Wali Barad

        Re: "The damage, on a scale of 1 to 10, is a 12."

        "somebody must have been responsible"

        For pissing off the BOFH? Indeed.

        1. Monkey Bob
          Thumb Up

          Re: "The damage, on a scale of 1 to 10, is a 12."

          Is it too late for a "BOFH of the year" award?

          Or too early?

          1. Charles Manning

            The precedent has been set

            If Obama could get the Nobel Peace Prize a few minutes after donning the magic cape, then Snowden can surely get BOFH of the millenium right now.

  2. Nate Amsden

    wonder what kind of systems

    they have? I suppose a mix of all kinds..

    I remember getting pissed off at NT and other windows versions for blocking access to files when I was an admin. I mean if I have rights to edit the files to give myself access just let me alter the #$@# file. On the same note I have never used ACLs on *nix, and always turn off SELinux. Would you believe it I've never been hacked in nearly 15 years?(other systems that I inherited have been compromised though the fault was never mine -- I suppose one hack I was responsible for I talked a friend into switching his FreeBSD box from telnet to SSH back in 2001 - about 9 months later he was hacked via ssh exploit). Shocking I know.. it's not that hard though. It helps a lot to not be a high value target to begin with!!

    One of my friends a long time ago told me how Netware was even more strict, files could be locked down so admins could not read them(or edit acls etc), and there was a special backup user for the tape backups that had access to the files, then I suppose the tapes were encrypted or something so they couldn't be restored to another system and read that way.. I dunno.

    I never want to work for such an institution. It just makes the job more frustrating. Myself I don't care about the data, I have no interest in stealing it, there's no value there for me personally. I've never had an interest to open "salaries.xls" or whatever, I don't care what is in there. I don't know why I just don't. It's not that I am secretly trying to be honest and not take it - I really don't care. I'll store it on the storage, back it up, whatever. The only time I may open it is if someone asks or if it's causing a problem for some reason.

    Fortunately I haven't dealt with internal IT in more than a decade so that hasn't been my problem for a long time. Now the data I have dealt with since generally is more valuable(customer data), but again I really have no interest in stealing it. The only data I have interest in is the stuff I make myself (scripts etc). Some companies like to try to lay claim to such things (none I have worked for have ever tried/cared - they benefit greatly as not having to start from scratch each time dramatically accelerates results).

    I am surprised that the NSA stuff was not more locked down, the means Snowden used to access it seems pretty basic (not "brilliant" like one commenter from another article on slashdot).

    If I were in Snowden's position(at the time he took the data) I'm not sure what I would do.. hard to imagine ever being in that situation to begin with I can't ever imagine ever ever working for a big institution of any kind for any price. I suspect I wouldn't take the data, because I wouldn't care enough to look to see what is there to begin with.

    Though I do commend him for doing what he did I think it was wonderful.

    1. Anonymous Coward
      Facepalm

      Re: wonder what kind of systems

      You'd think that the NSA would have a system of compartmentalization, but I guess not.

      Oh well, the citizens of the world are better off as a result. At least now we are getting a decent idea of what the NSA is technologically and ethically capable of....

    2. This post has been deleted by its author

    3. Andraž 'ruskie' Levstik

      Re: wonder what kind of systems

      I agree with you on that. I don't care what's in the users data. For me it's data that just needs to be maintained there and that's that.

    4. Anonymous Coward
      Anonymous Coward

      Re: wonder what kind of systems

      I did once find "Executive Salaries.xls", left on the Xerox machine at a former company. I made a few copies and left them on peoples' desks.

      It was fun watching the ensuing sh*tstorm. They never traced it back to me.

      1. Tom 7

        Re: wonder what kind of systems

        When I worked at Martlesam Heath there was a whole floor dedicated to .... well who knows?

        Actually it was easy to find out when they used our line printer for their top secret security manual.

        Security is easy to implement - you just shoot all the managers who want everything done now rather than securely. Fortunately that's all of them.

    5. Michael Wojcik Silver badge

      Re: wonder what kind of systems

      I remember getting pissed off at NT and other windows versions for blocking access to files when I was an admin.

      That's why one of the first principles of information security is "don't grant elevated privileges to people who don't care about security".

      Of course, another one is "don't give employees of contractors elevated privileges on your sensitive systems". And even before that, "don't use discretionary access controls for compartmentalized data".

      The NSA has compartmentalized data. Using any sort of DAC mechanism - rather than MACs or other formal enforcement approach - is irreparably broken from the start. Storing compartmentalized data on systems that rely on DACs is irreparably broken. Storing it on systems that have the concept of "unlimited privilege" sysadmins is irreparably broken.

      It's the same old story. For economic reasons (procurement costs and user acceptance) the NSA is using completely unsuitable systems for its data. Snowden is a symptom, not a cause. Closing this barn door won't help regardless of where the horse is, because the barn is only notional - just an agreement among the sysadmins to play nice.

  3. Anonymous Coward
    Anonymous Coward

    So much for...

    ...positive vetting over there.

    1. Richard Jones 1
      Unhappy

      Re: So much for...

      I have to agree with you. The rubbish vetting of contractors and staff along with allowing a near 'open door' policy to data security appears 'unwise'.

      We have seen some of what what one Snowden has done, how many other odd ball things have happened and are still happening? Can any of the data be trusted? The released or unreleased data are all now suspect

      How much of the data collection activity has been screwed up and tainted by those who have not yet been found or perhaps more importantly ensure they are not found out doing what they are doing?.

      It is fine for all those 'we should have no secrets' types to wave their flags, though perhaps not so wonderful when you or yours get blown up or gunned down because no one could look.

      How many fully legitimate investigations been blown off course because a rogue employee with the key to the magic kingdom, decided to protect a 'friend' or even worse implicate an innocent party? That innocent party could be anyone anywhere.

      Data abuse is a multi-way highway, travelled by many dirty feet.

  4. Yet Another Anonymous coward Silver badge

    In response

    The NSA is removing the 'A' key from keyboards to prevent people logging in as administrator.

    1. dssf

      Re: In response to "A" Key Removal..

      Couldn't one who is quite skilled, without even being brilliant, just enter control codes or such to replace the missing "A" key from the keyboard? Or, add to the system, a file containing the necessary executable/binary, and with escalated privileges, traverse, hop, skip, and jump along and do login?

      Just asking...

      1. Don Jefe

        Re: In response to "A" Key Removal..

        You're probably right. Someone with the right skill set probably could overcome the lack of an 'A' key. The only way to prevent this would be for government to hire drooling thickwits for most roles.

        Although it kind of looks like they're well on their way to implementing such a policy if Snowden's boss really granted him unlimited access. Maybe all those 'A' keys will be safe after all.

        1. Khaptain Silver badge
          Coat

          Re: In response to "A" Key Removal..

          If the NSA saw someone overcoming the lack of the 'a" key problem then they would probably take the next step up and remove the mouse so that the user could not click on the "Ok" button.

          1. Peter2 Silver badge

            Re: In response to "A" Key Removal..

            Start-> Run->OSK->Ok (or just go through the start menu if you haven't a keyboard at all)

            Press "A" on the Virtual Keyboard.

            Right bloody skillset indeed!

            1. the spectacularly refined chap
              FAIL

              Re: In response to "A" Key Removal..

              Start-> Run->OSK->Ok (or just go through the start menu if you haven't a keyboard at all)

              But where is the Start button on the login screen? It's still easy enough to work around - it was clearly intended as tongue in cheek after all. However, suggesting one method that doesn't work is plain retarded.

        2. Dan 55 Silver badge
          Black Helicopters

          Re: In response to "A" Key Removal..

          This "drooling thickwit for most government roles" policy was started several years back and is being rolled out in a top-down fashion. I'm afraid I can't say anything else at this time.

      2. Anonymous Coward
        Holmes

        Re: In response to "A" Key Removal..

        No need for big skills - I found myself on a PC whose keyboard was lacking a letter once, then I simply copied it from another text (Ctrl-C) and pasted it (Ctrl-V) every time it was needed...

      3. Thomas Whipp

        Re: In response to "A" Key Removal..

        I know someone at university in the late 90's who managed to get a cursor left ASCII code into thier password this way on the basis that if anyone key logged him it would overwrite the previous character and he'd still be secure.

        Almost as nice as the guy who wrote a postcript fractal generator which locked a printer for about 8 hours when sent.

    2. Colin Miller

      Re: In response

      Or hold down Alt and type '65' or '97' on the numerical keypad (assuming you're running MS-Windows form NT onwards).

      1. Michael H.F. Wilkinson Silver badge
        Coat

        Re: In response

        The NS did it lre dy to my workst tion

        De ry me, time for me co t

    3. Andy Gates

      Re: In response

      But then how could they enter their Password1 ?

    4. Mostor Astrakan

      Re: In response

      On direct orders from President Obm.

    5. Allan George Dyer

      Re: In response

      And in tomorrow's news, following new leaks, they are also removing the Alt key and numeric keypad.

  5. Alan Hargreaves

    access to documents by unix/linux credentials only?

    I'm sorry, I have to call b*llsh*t on this.

    Any database system worth its salt relies on db specific credentials, simply being root (or any user for that matter) should be absolutely insufficient to access anything in a secured database. One would hope that such a place as the three letter agencies would require authentication against the database application before providing anything classified.

    I find it beyond belief that such agencies would work in any other way. In which case, Snowdon actually *had* the appropriate levels of access to the data and we're trying to be sold something to cover that up.

    alan.

    1. Don Jefe

      Re: access to documents by unix/linux credentials only?

      I don't know, they can't even search their own emails:

      http://gawker.com/the-nsa-can-search-everybodys-email-but-its-own-882431239

    2. Flat Phillip
      Facepalm

      Re: access to documents by unix/linux credentials only?

      "Any database system worth its salt relies on db specific credentials"

      You mean, like sharepoint?

      I think that's your answer right there.

    3. Jellied Eel Silver badge
      WTF?

      Re: access to documents by unix/linux credentials only?

      I don't get the credentials, or lack thereof. If the data's encrypted on the system/server, a sysadmin can fiddle to their hearts content. They could move stuff with a memory stick, but unless they could decrypt it, they couldn't leak it. It's harder to manage, but surely a lot more secure?

    4. Duncan Macdonald

      Re: access to documents by unix/linux credentials only?

      With root access it is possible to totally bypass the security on any database by using disk block access to the underlying data files. (Or an easier method - make the backup procedure make a copy of the database somewhere else on the disk - set that up as an instance and give yourself full access to the copy.)

      In older Oracle databases (I only worked on versions 5,6,7), it was easy as a system administrator to get access to the Oracle SYS and SYSTEM accounts or to set up an OPS$ account. Once you have access then adding an account (or modifying an existing one) with the READ ALL TABLES privilege (and any specific extra tokens needed to access a specific table) is trivial. Again with Oracle, one of the standard procedures that would be done from time to time is a full database export. The export file is ASCII text with no internal protection - if data is stored unencrypted in a database then it is unencrypted text in the export file. Note also that as a system administrator it is usually easy to define or modify where exception reports are sent so if accessing a table raises a flag then the flag can be made ineffective.

      Remember - all databases have a backdoor built in to recover from the case where the admin password has been lost - with Oracle it was SQLDBA (at least in versions 5,6,7). With SQLDBA it was possible to change the password for any user or to add a new user with any desired privilege.

      1. Pirate Dave Silver badge
        Pirate

        Backdoors

        It would have been ironic if Snowden had used the supposed NSA backdoor into WIndows to break into the NSA's own computers to steal NSA documents. Since he was a sysadmin, it wasn't necessary, but it would have been a bit of sweet justice and lots of LOLs if he had...

    5. Anonymous Coward
      Anonymous Coward

      Re: access to documents by unix/linux credentials only?

      The way I read the article that is how it was separated. He had complete access to copy the data files. To access the data he was using other people's database IDs. What isn't clear to me is whether or not he was granted permission to create/reset database IDs. Frankly, it wouldn't surprise me if they had.

      Government IT security is a sad state of affairs. They seem mostly concerned about whether or not the check marks are in the correct boxes on the forms, not the extent to which good practices are being followed. Or even if the alleged good practices truly are good practices. They'll force you to change each of your ten passwords once every 30 days (different rule sets for each) but won't lock down USB ports for stick drives or forget to buy cable locks for laptops. One place I was at wouldn't let you email the fully dotted quad of a non-routable ip address but were fine with you emailing a MAC address.

      1. pixl97
        Boffin

        Re: access to documents by unix/linux credentials only?

        >One place I was at wouldn't let you email the fully dotted quad of a non-routable ip address but were fine with you emailing a MAC address.

        I bet you'd blow their mind if you told them you could convert a IP to decimal format.

        IPv4: 192.168.1010

        Decimal: 3232238090

        Crafty people always have a way of getting around dumb policies.

    6. Anonymous Coward
      Anonymous Coward

      Re: access to documents by unix/linux credentials only?

      My personal experience as both a Unix admin and a DBA tells me that you are wrong. Here's the thing. That database as to run as a system user, generally one with reduced privileges.

      For example, let's say the Unix username the database runs under is "oracle".

      As a system administrator, I have access to the Unix "root" account. I actually need it to do my job. This user, by definition, as the right to become other users. This is necessary for the OS and it's security features to work right, so can't be easily disabled. So I just switch user to "oracle" then start the CLI for my database. Voila, access to pretty much everything stored in it.

      Same goes for files stored in file servers (you appear to think it's all in one uber application. Word and excel documents probably get used a lot more) because hey, it's his JOB to make sure the files are OK and not going to vanish due to a failing hard drive.

  6. Don Jefe
    Meh

    Dealing With The Devil

    So we know MS took in millions for their dealings with the NSA, but I wonder if that is biting them in the ass now? Even though Snowden's boss appears to have greatly contributed to the problem, itsure doesn't look good for SharePoint.

    If I still sold software I'd be dreading every phone call and email from prospective SharePoint clients who wanted to know why the system was so insecure that a low level admin could snag documents from his superiors. Customers don't want to hear technical details; they get fixated on the end result. The end result here is the system allowed a serious (12!) security breach and that's all the customer will hear.

    Serves MS right for dealing with the devil, selling their countrymen out and using my tax dollars to do it. I know they probably didn't have a choice but to cooperate, but I can still be pissed that they did.

    1. Anonymous Coward
      Anonymous Coward

      Re: Dealing With The Devil

      Except that you're mixing reporting superiors with technical superiors. As a System Admin, Snowden was at the top of the technical chain.

      What has happened with government IT work is the technical work has been separated from the management responsibilities and the technical work is contracted out. That way when the manager makes a frelled decision they can fire the contractors without a complicated exit process.

      What's really needed is the computer equivalent of the two person rule for banks handling money. And I hear even that is typically expanded to a three person rule with one of the three never touching the cash.

  7. dssf

    "The NSA is reportedly only now piecing together the exact steps Snowden took to infiltrate its systems, including identifying specific users whose accounts he used to access documents. But there's no clear paper trail – investigators are said to be looking for red-flag discrepancies, such as accounts that were accessed while their owners were on vacation.

    Once he began collecting documents, Snowden was surely also emboldened by the fact that, as a contractor working for Booz Allen Hamilton in Hawaii, he never once needed to set foot in NSA headquarters. Instead, he could access the files he wanted from a computer terminal some 5,000 miles away."

    How about also looking for multiple and concurrently-used logins? Someone could be on vacation and legitimately be accessing a file under orders (not to work for more than 20 minutes, but to open a file and relate or communicate some critical number or name or term, then log off and resume vacation)?

    How about if the Snarget (SnowdenTarget) is in a protracte meeting that surely is likely to involved being logged on to access training, reporting, or other reports? That person might legitimately be granted by IT to have 3 or 4 concurrent logins, crossing various zones, regions, buildings, and so on, either under one login name, or a login name but with different passwords, or different login names (to obscure WHICH employee is accessing files when a security breach cannot be allowed to show how much deep access a director has, say) and diffferent passwords.

    Now, if the Snarget is in that meeting, and no alarms/tripwires are in effect, and if Snowden or a Snow-a-Like knows this and exploits it, it might be hard to prove who was doing what -- well, until enough auditors go over all the logins and parse them via a database. The database query might be as simple as (in lay language, not structured query language):

    -- Get access info on the files known to be compromised

    -- find the intermediate and presumed origin (travel path) of credentials/tokens/logins used to get to the files

    -- find the servers that passed on/forwarded these credentials

    -- display the time zones, normal working hours, and workstation locations for the user accounts involved

    -- display the HR records showing valid work hours of the user accounts involved

    -- display the Payroll records of the user accounts involved (to find terms, actuals, and non-hidden "consultants" and informants, etc

    -- display the IT credentials/rights/escalated privileges histories

    -- find banking and one-time payee records of user accounts for active and termed accounts

    -- correlate all and look for anomalies for unions/sets related to NSA and NSA-contractors and NSA-approved "special login entities" (stools, triple agents, and similars)

    -- correlate all with IT repair jobs and locate which data scrubs of sensitivce hardware have two or three-person control/integrity/wipe/destruction verification

    -- interview/debrief all involved user accounts and nearby workspace colleagues for "intel" not in a database, about James Snond (Snowden/Bond)

    1. pixl97

      My guess on why they are having a hard time tracking Snowden in the audits... All the system admins were doing similar profile sharing/switching just to get the system to work. It's really easy to track an anomaly traverse a system, but when when the anomalous behavior is standard procedure they may never be able to figure out exactly what happened.

  8. dssf

    BTW, if the NSA allowed "Tor" or similar sytems to do remote login

    BTW, if the NSA allowed "Tor" or similar sytems to do remote login, or used things like "Go To My PC" from virtually ghosty nodes, and relies solely on embedded, interspersed, sychronous and asynchronous creds (maybe some quantum-computer-like stuff), then all bets potentially could be off.

    If Snowden worked alone, and bypassed quantum-like creds filtering, then, possibly he IS a genious. But, and tthis is a huge but, but if he had an accomplice, a deeply sympathetic one, then things may get ugly really fast -- assuming they knew the breech/breach (both spellings) would be investigated, the only thing could possibly resort to doing would be to put in system-wide account-compromising accesses and maybe even a few time bombs to make the investigation painful and take 10-20 years to unravel, in which case, Snond and his Mr/Mrs Punneymini might have lived those 10-20 years quietly and carefully, since everyone in the organization would be so compromised that most of them woulld have to be fired, not even transferred or even demoted. Just binned, without prejudice, which might mean some handsome severence packages in the even that no prospective employer would be insterested in hiring such terminated people.

    Sucks all the way around -- except for those possibly receiving without-prejudice termination packages to retire and never apply for another Intel or SysAdmin job in this lifetime....

    Holes like that can be costly, painful, and destructive to any nation's national security efforts. Effectively, Snond and any involvved accomplices may have may have for some time caused NSA to mean "Negated, Sieved, Abbotoired" until they plug the leaks, loopholes, and locks better.

    1. Don Jefe
      Meh

      Re: BTW, if the NSA allowed "Tor" or similar sytems to do remote login

      Snowden was a contractor, as was/is his direct report boss, who appears to have colluded with Snowden only in that he was lazy and granted far too broad of access. Presumably to save himself the hassle of doing some things himself.

      The contractor part is important to your comment as those who lose their NSA positions might be assigned a new role at Booz Allen but in all likelihood will just be terminated with no severance. I was once part of a contractor team (not with Booz Allen) on an IRS project that was binned and we were binned the next day with nothing to show for it.

      I also just realized that the media has stopped mentioning Booz Allen as being at the center of all this. I wonder why? Their practices and hiring/screening policies seem to leave a lot to be desired and they're major govt contractors so their staff is everywhere. There's been nary a mention of them in weeks.

      1. Anonymous Dutch Coward
        Meh

        Re: BTW, if the NSA allowed "Tor" or similar sytems to do remote login

        Why lay the blame for the hiring/screening policies only at the contractor - it's the NSA who should have stipulated *and enforced* good policies (and practice!) by the contractor...

        1. Don Jefe

          Re: BTW, if the NSA allowed "Tor" or similar sytems to do remote login

          Because Booz Allen is also who does a huge percentage of the vetting for security clearances. They are one of, if not the largest, provider of those services to the Federal government, who outsourced it all nearly 15 years ago. They get to vet the candidate then hire and place them into their contracts.

          It is all too cozy and rife with problems stemming from decisions based on 'financial efficiency'. It is cheaper to hire someone you've already vetted and kill several birds with one stone, than it is to keep hunting for the 'perfect' candidate. They've got contracts to fulfill and they need bodies in seats to keep the money rolling in.

      2. Anonymous Coward
        Anonymous Coward

        Re: hiring/screening policies seem to leave a lot to be desired

        Booze-Allen is only responsible for their internal practices. The government is responsible for the rest. Still falls to the government.

        I''m not dealing with information half as confidential as the IRS let alone the NSA, and none of the permissions are granted by actual feds. We get little pieces of paper authorizing us to grant access to others. Which means we've got access to it all and it's all dependent on trust. The feds never touch the actual systems themselves.

  9. JaitcH
    WTF?

    Chelsea Manning and Edward Snowden should be ...

    nominated for the Nobel Peace Prize. If Obama can get one, these two deserve it for their real personal sacrifices.

    As for techs having access - this has always been the case. In my younger days I was a technician involved with Autovon, and similar systems, and the techs could always go where others couldn't. Many was the time when a scramble-egg bedecked military type would ask for a favour, like making calls home using my access.

    We even used to go to microwave sites, jack in our test equipment with the security types busy trying to figure out who we were with no ID showing on their screens.

    Now we have cell system test sets ...

    1. tom dial Silver badge

      Re: Chelsea Manning and Edward Snowden should be ...

      "... nominated for the Nobel Peace Prize."

      Why? Exactly what has either one done that advances the cause of world peace?

      1. Khaptain Silver badge

        Re: Chelsea Manning and Edward Snowden should be ...

        They have temporarily slowed down the American Big Brother invasion. They have brought to light, with proof, of the virus that is known as Prism.

        Which is far more than Barack Obama has ever done. Barack should have won the Nobel prise for being a "Weasel" .

        1. Anonymous Coward
          Anonymous Coward

          Re: Chelsea Manning and Edward Snowden should be ...

          Regarding Obama and weasels as equivalent is unfair to weasels.

        2. Anonymous Coward
          Anonymous Coward

          Re: Chelsea Manning and Edward Snowden should be ...

          "Why? Exactly what has either one done that advances the cause of world peace?"

          "They have temporarily slowed down the American Big Brother invasion. They have brought to light, with proof, of the virus that is known as Prism."

          Neither of which are in the criteria for awarding the Nobel Peace Prize. You might as well give it to Justin Bieber for having pretty hair.

          Nobel Peace Prize awarded according to criteria defined here;

          http://www.nobelprize.org/nobel_prizes/peace/

        3. tom dial Silver badge

          Re: Chelsea Manning and Edward Snowden should be ...

          Expose U. S. war awfulness, and diplomatic and NSA activities ... "slows down American Big Brother invasion"

          There seem to be quite a few missing steps here; it would be nice if you provided a bit more detail as to just how that follows, or indeed if it does. Bashar al-Assad might be inclined to doubt it.

          Most people who paid attention to such matters were completely unsurprised by either set of revelations. And just which invasion would that be?

          No dispute about giving it to Barack Obama, though; it ought to be awarded for accomplisments, not speculation based on campaign messages.

          1. Khaptain Silver badge

            Re: Chelsea Manning and Edward Snowden should be ...

            There seem to be quite a few missing steps here;

            Bringing proof to the table makes a lot of difference; we are no longer in speculative mode

            * This makes for embarrassing situations for candidates/senators etc. Therefore they will begin to think twice about the outcome, votes become scarcer therefore funding becomes scarcer.

            * All the bad publicity has to be undone, this takes time and money.

            * Overseas clients become reluctant about dealing with the US ( I had an example at work today where a future client asked if any of their data would be stored in the USA, the client mentioned that he would not accept our offer if it been ( we are a large international company so his question was valid). Again this has the potential of costing real money for the Americans.

            * People lose faith; again this has to be built back up again, yet more money.

            * Barack Obama now looks like a fool, the next president will have to be twice as careful, this takes time and time is money.....

            And so the list goes on, at every step, money quickly becomes a limiting factor, lose trade or international trust is a major faux pas, new deals have to be struck , Equipment has to be changed etc etc etc .

            All of this in its own way helps slow down the machine.... America might like to believe that it can do what it wants but unfortunately for them it doesn't quite work that way, karma is a bastard when it come knocking.

            As far as Bashar Al Assad is concerned, he probably couldn't give a f**k. He is going to get invaded one way or other by the Saudis or the UN.... He has known he is going to get shafted for quite some time....

            1. tom dial Silver badge

              Re: Chelsea Manning and Edward Snowden should be ...

              None of the items listed contributes materially to world peace.

              * The typical U. S. officeholder or candidate is practically incapable of experiencing embarrassment - e. g., Anthony Weiner. The great revelations doubtless will bring some change, but the degree of such change is not likely to be large, nor is the defense budget likely to be measurably smaller based on shortening NSA's leash. Any shrinkage will result from continuing withdrawal from Afghanistan and general budget negotiations.

              * It is well known that one way some governments under stress handle internal problems is by foreign adventurism, as described humorously in the movie "Wag the Dog". The principle is pertinent also the final two items offered as evidence. Not that the US ever would do that, of course.

              * It is not obvious whether, or to what degree, non-US clients actually can do better unless they and their data are contained entirely within an area that does not include the US, Canada, Great Britain, Australia, and New Zealand, all of whom participate to a greater or lesser degree in XKeystore data capture; and unless their solution does not involve in any significant way a US company subject to US laws. What are the remaining alternatives? Is China an alternative, or Russia? Switzerland might be a reasonable choice, or Iceland, but can anyone say for sure that NSA or GCHQ don't have taps on the lines there? I don't have a lot of respect for management that thinks placing data outside the US assures them of its integrity.

          2. Britt Johnston
            Trollface

            Re: Obama deserved the peace prize...

            for displacing G.W.Bush, the first American President to start two wars and finish none.

  10. Mikel

    An unvetted temporary contractor sysadmin?

    This is how they do security? And Sharepoint.... what would the point of a content management system named Sharepoint be?

    1. JMiles
      Devil

      Re: An unvetted temporary contractor sysadmin?

      Well the NSA must have been aware of Microsofts usual incompetence so expected 'sharepoint' to do anything but. Guess Microsoft didn't drop the ball for once.

  11. tapanit
    Pint

    Sysadmins are hard to stop...

    Mandatory xkcd reference: https://xkcd.com/705/

  12. deadlockvictim

    SA

    I came across a nice quote from Brent Ozar that is highly relevant here [1]:

    Right up there with data integrity, security's really important.

    Who else has sysadmin or securityadmin rights on this instance?

    I care about securityadmin users because they can add themselves to the SA

    role at any time to do their dirty work, then remove themselves back out.

    Don't think of them as other sysadmins.

    Think of them as users who can get you fired.

    [1] http://www.brentozar.com/blitz/security-sysadmins/

  13. T. F. M. Reader

    Compartmentalization

    Actually, I am not entirely sure the publicly available information shows Snowden had admin level access to practically the whole agency, as we seem to be led to believe. The revelations pertain to a particular field of large-scale consumer communications snooping. We are told that lots and lots of documents in Snowden's haul have not been disclosed, but we are not told what they are, and they all may be "more of the same". Besides, all we have seen is some presentations and documents that were secret, but not necessarily (or even likely) the most secret stuff at NSA. In fact, the target audience of the disclosed documents likely includes anyone who works with the collected data - all we saw were high level descriptions and snippets of the basic "rules of engagement". The fact that NSA listens to comms on the planetary scale is not itself a secret (not from anyone who has ever read Clancy or Forsyth - chuckle), it's the agency's basic charter. The fact that the contents are hoovered and stored on a massive scale rather than selectively was a surprise to some, and this is what lies at the heart of the matter. There may be a single team of admins dealing with this area - it is not clear that this in itself is a major security flaw. But it is not even clear what Snowden's responsibilities were - it may be that he was just responsible for the not-so-secret (on NSA scale) "support documentation" stash and never, for instance, administered or had access to the actual collection systems.

    What is immeasurably more troublesome - and not addressed at all by this "he was an admin, what could we do?" hand-waving - is that apparently any non-privileged user (an analyst, not an admin) has access to the whole ginormous stash of data and meta-data and tools to query analyse them indiscriminately. When you have this situation it is useless to lament that admins have access, except as a smokescreen in the public debate, of course.

    Compartmentalization has always been a staple of the spook business. One would expect multiple admin teams each having access to only the stuff the need access to. One would expect compartmentalized "project teams" - analysts and such - having access only to stuff related to a a particular project/operation/etc. One would expect an admin team supporting a particular op, with other admins not having access to the op-specific files, data, resources, etc. Yes, it makes sharing information more difficult, but by the same token it makes security tighter.

    It looks like the (multiple?) "store the internet" programs were never compartmentalized by design. It was never designed to support specific individual projects, it was designed as a wholesale warehouse. The design may facilitate efficient access to stuff individual projects need, but it is also not compartmentalized and therefore not as secure as it could be. That is not the sysadmins' fault, and that is not a consequence of the nature of sysadmins' work. That is either stupidity (nothing will ever happen) or malice (who gives a flying fuck about anyone's privacy) or both, regardless of the possibly amazing efficiency when everything works "as designed". [Allow me to doubt the efficiency, I suspect, for instance, that signal/noise sucks. It may be very good for post-event investigations though, when the signal is strong.]

    And now I wish someone at NSA would think of possible consequences of the proposed 90% sysadmin RIF again: if you need to compartmentalize access you will likely need more personnel, not less.

    1. A Non e-mouse Silver badge

      Re: Compartmentalization

      Wasn't one of the outcomes of the Sept. 11th investigations that there was too much isolation/segmentation of information? That they knew all about the people, but they didn't join all the dots together?

      1. Don Jefe

        Re: Compartmentalization

        Yes, over compartmentalization was one of the 'significant findings' of the 9/11 Commission. Various agencies had data which might have helped prevent the attacks but no one could piece it all together as it was all locked up by different departments across many agencies: They couldn't provide a clear picture.

        Those problems are one of the primary justifications for the growth of NSA programs and their role as the central information clearing house for other government agencies.

      2. T. F. M. Reader

        Re: Compartmentalization

        Yes, it was. It does not contradict anything. I allude to the possibly increased efficiency (and my doubts thereof) myself. But the trade-off in terms of security is obvious, or should be obvious if security/secrecy is important.

        Waving the efficiency flag you hoover the whole bloody Internet into your data centres, you allow every analyst at a few dozen agencies access the data on demand, in the process you necessarily tell all of them (and the auxiliary/support personnel, including contractors) that (a) the data are collected and stored, (b) the data can be queried and analysed using such and such tools, (c) the users are not really supposed to use all the data indiscriminately, and here are the rules. You will note that this is all that has been revealed so far.

        And now all of this is supposed to stay top secret indefinitely? And when it is leaked, by an admin and not by an analyst (admittedly an admin would be better qualified to get the information out and not get caught too early, but any analyst likely had access to the same resources), suddenly the root cause of the leak is the nature of sysadmins' duties? Sorry, but the implied statement that admins cannot be compartmentalized is (a) false, (b) irrelevant. Nothing was compartmentalized in this case, by design, and that merely includes sysadmins.

  14. rnblckmn

    When you are a sysadmin you can usually log in as someone who is even logged in at another location, this is usually done to help with common user problems that occur with account setup or user training I.e. helping a user find a file or access and recover a damaged file. This means that a sysadmin has enough access to log in to a VM(virtual machine) from anywhere on the internet can change his identity SU(super user) su-l and access and set up a VPN(virtual private network) to transfer or modify files and then easily run a script to erase the access logs from the primary server its self all from thousands of miles away the scary thing is the nsa has no idea what he did or how so these security holes stay open for the next guy who wants the credit card number that you used this month to pay your Verizon bill with.

  15. Random Q Hacker

    Mandatory Access Control

    Didn't they invent SElinux?

    1. John Smith 19 Gold badge
      Unhappy

      Re: Mandatory Access Control

      "Didn't they invent SElinux?"

      True.

      But MS Sharepoint does not run on it.

    2. Justicesays

      Re: Mandatory Access Control

      Yep,

      And MAC itself.

      Then it looks like they gave up , as it was apparently cheaper to buy a sharepoint license and use a wiki than implement a custom system that actually implemented MAC. Never mind the fact that in any computer system, unless you want to risk total data loss from a lock out, failure or loss of personnel , there are back doors. The best you can normally do is restrict these to physical access only , with physical observation and audited logging of any access,if you are super paranoid. Of course this become near impossible once you start storing datacenters worth of stuff. This also assumes that you trust the guys who set up the secure system in the first place. and doesn't cover you for bugs in the programs.

      Or alternatively you can give your top level access to people from a third party company and allow them the ability to do anything remotely with no real local oversight. I guess it was (again) cheaper.

      Still, at the basic level, I imagine almost everyone working at the NSA (or for the NSA) knew about the scope of data collection, which would be apparent from the data itself. Documents like the PRISM overview, the cables taps, the GCHQ connection, would be basic orientation material for most analysts so they would know what the possible information sources were.

    3. Rick Giles
      Linux

      Re: Mandatory Access Control

      I would trust or knowingly run an application or operating system that the NSA had touched. Secure my ascii.

  16. mark l 2 Silver badge

    this goes to show to anyone even the NSA that if someone with bad intentions has physical access to a system your data is NOT safe.

  17. Anonymous Coward
    Anonymous Coward

    Re: Mandatory Access Control

    Yes, and they definitely didn't put any backdoors into the code.

  18. Velv

    The next time your business complains when you bang on about "security" and "rights" and "admins" and "risk" and "why can't we just do it", point them at Edward Snowden.

    An admin did it and ran away.

  19. alain williams Silver badge

    The NSA has to claim that Snowden was 'brilliant'

    Because if it becomes known that he was an ordinarily skilled sysadmin then they will be shown up as incompetent but not dealing with the common (or should be expected) case of a disaffected worker. As we have seen many times with these sort of people their primary interest is in protecting their own back sides and laying the blame elsewhere - just remember how they pursued Garry McKinnon who had the 'genius' idea of using default passwords to access systems.

    I do not know how clever Snowden is, however I suspect that it did not need genius level skills to do what he did, just a bit of determination.

    1. tom dial Silver badge

      Re: The NSA has to claim that Snowden was 'brilliant'

      Whether Snowden is or is not "brilliant" (my assessment based on what has been shown inclines to the latter), the NSA have been shown to have lapsed seriously in the matter of basic information assurance. Whether that constitutes overall incompetence is uncertain, but it certainly indicates that not enough people were sufficiently attentive, and there doubtless are quite a few who should suffer reassignment or retirement (civilian and military employees), or dismissal (contractor staff).

      .

  20. Nameless Faceless Computer User

    Solution

    Rather than using a contractor, give your sysadmin's a permanent job.

    /solved

    1. tom dial Silver badge

      Re: Solution

      When I worked a U. S Government agency we had many contractors intermixed with civil service personnel. The contractor staff were, on the whole, as capable and reliable as the civil service employees. Indeed, some felt that because contractor staff could be removed pretty much at will they were likely to be more diligent and careful on average. Civil service personnel are quite difficult to remove for reasons short of criminal activity or insubordination.

      There is no valid argument for insisting that only employees can be system administrators. There is, though, a valid argument for insisting that background checks be done by employees, and be done carefully and thoroughly before allowing anyone elevated privileges, especially in a sensitive system. If Booz-Allen performed Snowden's background check, as I have seen reported, it is a management error of the first magnitude, first that the function should be contracted out at all, and second that it should be done by his employer, whose interest in the matter is, to say the least, impure.

    2. rciafardone
      Coat

      Re: Solution

      Manning had a permanet job... so no, not solved.

  21. Lars Silver badge
    Coat

    The damage

    Something rotten when the "truth" is considered damage. Embarrassing yes and am I sorry.

  22. Rick Giles
    Linux

    I wonder...

    How many home network domains and WiFi APs are going to be renamed to NSAnet now...

    Mines the one with the UpsideDowntranet in the pocket...

  23. Robert Carnegie Silver badge

    If this is a super secretive organisation, why are "sources" talking to The Register?

    Don't get me wrong, I am impressed.

    Not!

  24. Anonymous Coward
    Anonymous Coward

    Shhhh.... don't anyone tell them about

    Backup Admins.

    Corp/gov Backup Admins have a shedload more power than SysAdmins. ;)

    1. Anonymous Coward
      Anonymous Coward

      Re: Shhhh.... don't anyone tell them about

      Yup, a so-minded backup admin has the power to zap entire systems (or at least those which backup) and their backups with only a few lines in a simple script.

      ...not to mention access any of the data they hold on their backup servers.

  25. Wzrd1 Silver badge

    So much hogwash!

    First, let's review "They are great at some sophisticated tasks but oddly bad at many of the simplest."

    The NSA used to have things tightly locked down. Then, some 9-11 thing happened and everyone bitched that they couldn't access information in order to prevent a recurrence of such an event. So, access controls were massively eased back.

    Manning proved it, as did Snowden.

    As for an SA having access and it's unpreventable, that is also hogwash! I've set up access controls where SA's, NA's, AD admins, even enterprise admins didn't have access. Only the backup logon account had access and it was prohibited interactive logon, had a random password that remained unseen by human eyes and the password changed quite often automatically.

    The only thing that the idiot General has accomplished is removing the ability for the NSA to respond to another massive data breach, like happened with the 2008 cyber attack against the US DoD.

    The NSA sent hundreds of admin types to clean up that debacle.

    Twice.

    Twice because the contractors that set up things in such a way that the malware infection was inevitable refused to fix the baseline to standard, so they reinfected the network and servers in under a month.

    Something I know quite well, as I was in the middle of it, though my installation was kept up to standard, obeyed directives and hence, remained uninfected.

  26. Anonymous Coward
    Anonymous Coward

    So, the burning question is:

    Does NSA actually stand for Non Secure Agency?

  27. Anonymous Coward
    Anonymous Coward

    Wrong

    I'll bet a bullet can stop Snowden and it likely will.

  28. Lostintranslation

    So Jason Bourne didn't need all those fake passports and martial arts skills after all. He just needed to get a job as a sysadmin and wipe himself from the system.

    Treadmill, eat your heart out.

  29. stragen001

    Dear NSA. Listen carefully, I shall say this only once

    1) Watch Team America

    2) Realise WHY everyone hates America

    3) ...

    4) Profit

    1. Oninoshiko

      because americans make bad movies which are self mocking?

  30. gollux

    NSA HAS SERIOUS ISSUES

    First thing, lock down sysadmin access to only what's necessary for the sysadmin to do his job. Shouldn't be a global account that has access outside his well define access level and job scope.

    This is one reason to not trust the NSA. If he had GOD level status just because he was a puny SysAdmin, how do we know that Putin also doesn't have access... due to high level incompetence and the data leaks this enables.

    Or they intentionally wished that the information be leaked so they can build a strawman.

  31. Crisp

    Re: HE WAS A SYSADMIN

    Please tell me that the NSA doesn't let sysadmins work alone? At one installation I worked at, being caught at a terminal on your own was grounds for immediate dismissal.

    1. Brewster's Angle Grinder Silver badge

      Re: HE WAS A SYSADMIN

      Yeah, they worked alone (cf all the fuss about them moving to pair working).

      How efficient is pair working? How many arguments did it provoke? How easily could you have hidden something from your colleague?

  32. Dylan Fahey

    Power Level over 9,000

    Snowden is a hero to the free world. A sinister traitor in Amerika, but a HERO in the free world!

    Thank goodness for heroes, this world really needs them.

This topic is closed for new posts.

Other stories you might like