back to article Getting documents all too easy for Snowden

Yet more evidence has emerged that the NSA, which has made much of its apparently god-like power to stroll into anybody's network, read anybody's data, and find any target it wants, is a neophyte when it comes to its own information security. If a report published in the New York Times is correct, all Edward Snowden did to …

COMMENTS

This topic is closed for new posts.
  1. Shannon Jacobs
    Holmes

    Register needs an alternative funding model and #MDFC

    As #MDFC (More Democratic Funding Campaign) could apply to the Register, this article would have various related campaign options towards which I could 'pledge' part of my subscription payment (with no risk to the Register, insofar as they are already holding the money). The Reg's favorite options would obviously include 'virtual sponsorship' of this article (no real cost, since they've already published it, but effectively freeing up discretionary funds as a reward for publishing what I want to read) or further investigations (which they would only commit funds to after lots of readers agreed with me) or external campaigns (within limits, since the Reg does need to make it's own budget, after all).

    My primary interest in external campaigns related to Snowden would actually be to investigate critical journalists who are piling on Snowden in apparent contradiction to their previously expressed journalistic principles. My own theory is that some of those so-called journalists are actually knuckling under to blackmail, but the possibility of independent outside investigations might be sufficient to break the threat. Some of them might be able to respond along the lines of "Yes, I understand that you represent certain parties who are highly concerned about my sympathetic coverage of Edward Snowden as a whistleblower, and I also understand that these parties are in possession of certain highly embarrassing information about me, flawed human that I am. The problem is that my reading your script attacking Snowden might trigger an investigation that would reveal my secrets anyway. Since you can't protect me from awkwardly human reality, perhaps you should just run along and let me do my journalistic thing for now?"

    1. Anonymous Coward
      Anonymous Coward

      Re: Register needs an alternative funding model and #MDFC

      .... so-called journalists are actually knuckling under to blackmail ...

      My theory would be that these 'so called' journalists may have a different point of view about the situation.

    2. Anonymous Coward
      Anonymous Coward

      Re: Register needs an alternative funding model and #MDFC

      I'm not sure there's any need to blackmail the journos; in the UK at least the title's mercenary / pliant / corrupt owner usually ensures attitudes are correctly adjusted to the regime du jours every whim.

      With a few entirely honourable exceptions, journalistic principles bit the dust some time around Thatcherism.

      1. Trevor_Pott Gold badge

        Re: Register needs an alternative funding model and #MDFC

        "With a few entirely honourable exceptions, journalistic principles bit the dust some time around Thatcherism."

        And yet, I see my generation - which largely rejects both Thatherism and Reaganism - believes strongly in those journalistic principles. A resurgence, you could say. Though now that there isn't much of a newspaper industry it's taking shape in the form of citizen journalism and "new media" enterprises.

        How corrupt they turn out to be if and when they find success is an open question. That said, El Reg is quite successful, and we continue to bite the hand that feeds IT...

        1. Anonymous Coward
          Anonymous Coward

          @Trevor_Pott

          I couldn't agree more, the public on the whole do believe in / want principled journalism with a strong ethos to tell it all, warts and all. I personally would love to see a great deal more non-partisan journalism that sticks the boot in and calls a wanker a wanker whatever the cut of their political jib if called for. Problem is, the majority of owners of big media don't see it the same way, and even the better ones have huge blind spots that expand rapidly when money enters the equation, partly out of a degree of expediency re advertising sales etc keeping them afloat, mostly due to other business interests or just political outlook.

          But like it or not, it is still print and broadcast media that holds the clout where it matters, although it is more and more frequently subject to strong pressure from social media and some of the better 'new media' outlets - although most of the ones actually doing a decent job have plenty of 'old world' journalistic experience and firepower behind them (India's Telhelka springs to mind). The truly amateur end of 'citizen journalism', while often well intentioned, frequently seems trivially corruptible and entirely ego driven - often a bit of flattery, a 'large' audience or a bit of reassuring engagement from a complained about business is often enough to blunt any negative commentary, and the liberal scattering of affiliate links suggest at least they should do an evening class in the meaning of impartiality, then take a long hard look at the slanted nature of their output. Most is little better than useful wallpaper at present.

          If anyone is vaguely serious about preserving the best of past journalism and reinventing it for the modern era, the linked issues of money, ownership, litigation and susceptibility are the ones that need addressing FIRST, or we're doomed to an eternity of the partisan puff-piece frippery and recycled press releases that so blight our current press.

          1. Trevor_Pott Gold badge

            Re: @Trevor_Pott

            "If anyone is vaguely serious about preserving the best of past journalism and reinventing it for the modern era, the linked issues of money, ownership, litigation and susceptibility are the ones that need addressing FIRST, or we're doomed to an eternity of the partisan puff-piece frippery and recycled press releases that so blight our current press."

            I agree, but this must start with the understanding that journalists need to get paid, and not at poverty levels, either. They have a right to earn a living, and those at the top of their craft have a right to a damned good living. Just like any other professionals in any other craft.

            Once we as a society accept that, the question becomes how to fund it. Display advertising is dead. Finished. Kaputski. People are completely immune to it and there is no fucking way that pays that bills for any serious news organization. Millennial are [happy unicorn bunnies] that wouldn't pay a subscription for the water to extinguish themselves if they were on fire. That leaves four possible ways to pay for journalism.

            1) Government sponsored. PBS to a damned fin job in the US. The CBC in Canada are top notch. Tea Party types would have an absolute aneurism at the very concept, however, because they are fundamentally capable of understanding that governments don't fail at everything and that journalistic organizations like the CBC do not allow the government to micromanage. So despite the proven viability of the model, we have to scratch that off the list.

            2) Patronage. Al Jazeera does a bang up job of this and cranks out some of the best news on the planet. The flip side of this coin is that if the Patron decides to meddle, it can all go to shit. The only way it works is what I call the "Mozilla model": build a loyal enough following that there is a reason for larger, more profitable "news" empires to ensure you are kept alive and left unmolested. Apple to a Microsoft under the Microscope. Hardly ideal, but it is proven to work.

            3) Crowdsourcing a.k.a begging. The wikipedia model. Shaming your readers into coughing up a bent pittance for a resource they use every single day. Personally, I'd rather be peeled than spat on by a bunch of layabout assholes who will begrudge the outfit every bent copper and moan ceaselessly that "true" journalists should do everything "for the love of the craft" and that content should be free.

            This model is simply untenable. Somewhere between the 10,000th post about how "the only way for journalistic integrity to actually exist is for journalists to work four shifts a day in a Chinese iPhone factory and pursue their journalistic endeavors on the side without having the gall to beg hardworking readers for their money" and the 50,000th accusation that "the journalist is biased towards/against Apple because of his job in the iPhone factory" the journalist will snap. He'll go nuts and paint times square with the warm, viscous entrails of the entitled fuckbags that believe themselves so pure and unimpeachable that they are justified in demeaning and degrading people who are literally killing themselves in an effort to bring them news.

            From a pragmatic standpoint, I don't believe any news organization can withstand the continued decline of not only it's reader base but the source of it's income. Add to that the fact that once a journalist has snapped they are unlikely to return to the craft and ultimately this model fails due to sheer attrition.

            4) This brings us back to content marketing, which brings us back to money from advertisers, vendors and so forth. This requires a decently sized journalistic organization in which editors serve as a firewall between writers and journalists. Money is handled on side of the house and writing on another.

            The firewall has to be pristine. Vendors cannot be allowed editorial input on articles that run. Journalists must be allowed the freedom to write whatever they want about any vendor they want. The sales and marketing teams find companies to funnel money into the machine and the editors ensure that no pressure from vendors ever crosses the barrier to their writers.

            The downside to this model is the same as any other: there is the distinct risk that the journalist snaps and makes satisfying, mewling, bleeding display art out of a readership that hurls accusations of bias at the drop of a hat. This is greatly reduced, however, by the journalist making enough money to live reasonably comfortably and perhaps even support a family.

            Ultimately, this is the only model that works. The journalist is isolated from the admen who fund the enterprise and gets paid enough to tell the fickle fucks who read his articles precisely what to go do with themselves.

            The journalist has a duty to the truth. Not to a given person's interpretation of the truth, but to report the facts. Any and all facts they deem relevant. Advertisers will prefer some facts be added and some facts be omitted in order to help control the message. The milled masses will prefer the same, so as to cater to their personal prejudices and preconceptions.

            If the mob is screaming "the black man done it" while they prepare a noose and tree, it's not the journalist's job to agree. If the companies who fund the place he writes for demand that a black man be proven to have done it, it still isn't the journalist's job to agree. It's the journalist's job to report what he knows and - if possible - find out who did do it. Black man, white man, or space alien.

            Money needs to flow to pay the journalist's wages. It is the job of the news organization that the journalist writes for to firewall him from the source of that money.

            Critically, however, the journalist has no more a duty to represent the presidencies and preconceptions of his readers than he does to write what those who pay him demand. The journalist's first duty is to the truth.

            Nobody likes the truth. We all prefer a comforting lie. It is far easier for the soon-to-be-lawn-art milled masses to pillory the poor journalist than admit that their preconceptions were inaccurate. This makes determining bias hard. It requires critical thinking. It also requires the ability to analyze evidence dispassionately.

            Sadly, as much as journalism has seen a decline over the past few decades (thanks, Murdoch,) critical thinking and analytical capability amongst the general populace have declined at a much faster pace. What good is a journalist if the populace to whom he delivers information demands not the truth, but emotionally satisfying confirmation of their already extant beliefs?

            This is the true dilemma facing today's journalists. "Truth" and "truthiness" have become tangled up in personal politics, apathy, self interest, frugality, entitlement and cynicism. The journalist can deliver the purest, most untainted truth there is to deliver...but all to often we're left wondering if there's anyone out there but us who gives a bent damn about it anymore.

            1. gazthejourno

              Re: @Trevor_Pott

              4) pretty much covers covers El Reg. With the advantage that I can write snarky responses about breakdancing on tramps every once in a while, as well as splattering the word "Glasshole" across Google and occasionally pissing off various script kiddies with my scintillating headlines.

              1. Anonymous Coward
                Anonymous Coward

                Re: @Trevor_Pott

                Isn't what you write more your truthful interpretation of events?

                1. Trevor_Pott Gold badge

                  @Titus_Technophobe

                  A cogent reply! Yes, in many instances, you are correct...but in many instances this is not so.

                  Consider the following two scenarios:

                  1) A reporter is covering a topic in which they have someone (or multiple someones) to hand to interview. The reporter asks whatever questions they can think of, publishes the result. This is not really the reporter's interpretation at this point so much as that of the interviewees. The only means by which the reporter can/does skew anything in through a lack of knowledge or willingness to ask various questions. A good reporter will ask the hard questions, and ask every hard question they can think of.

                  2) The reporter has objective testing results to deliver. "I ran IOmeter on this disk with these settings and it returned these results" or "the parks and rec department discovered there were X milligrams of mercury per kilolitre of lake water."

                  There are a few more examples, but you get my drift. I far prefer to be as objective as possible when and where I can. Other times, I climb my soapbox and preach my opinion. I try for a balance.

                  When I am preaching my opinion it is typically because I done some analysis work and come to conclusions that seem nonobvious or go against the prevailing wisdom of the day. A journalist gains sources that they can't always reveal. What the journalist sees coming down the pipe sometimes needs to be talked about, even when it's uncomfortable or seemingly unlikely.

                  As only one example, I remember being pilloried for saying Windows 8 was going to Vista, and that it was about more than just the lack of a start menu. I also remember saying Server 2012 was awesome and would see wide adoption. Both - despite a great deal of grief - turned out to be true.

                  A journalist makes a choice - and thus injects some bias - simply by choosing what to report on. That's unavoidable in any model I know of. (Though an argument could be made that aggregators such as Google news are more objective.) For me, personally, this is why I do not rely on my own judgement. I have built a circle of confederates whose opinion I seek out regularly. Many of these individuals were asked to part of the club specifically because they disagreed with me loudly and often.

                  When I am thinking about embarking upon an analysis - an opinion piece based on connecting various dots where not all of those dots can be made public - I talk to the gang. I put forth my evidence and ask if the shape I am making out of these dots makes sense.

                  Sometimes what we write is our interpretation of events. Sometimes what we write is completely objective testing and empirical data. Sometimes what we write is utterly partial.

                  What I think sets the journalist apart from the average internet commenter, however, is that the journalist has cultivated a sense of self awareness. They don't trust themselves or their senses. They understand that eye-witness testimony is the weakest form of evidence (except, oddly, in a court of law,) even if it is their own eye-witness testimony.

                  When I asked a journalist I greatly respect what the secret to the craft was they responded thusly: "question everything. Especially yourself." I maintain that this is the core of good journalism to this day.

            2. Stevie

              Re: @Trevor_Pott

              Re: point 1)

              Yes, agreed, but you have misrepresented the source of funding for PBS, which is financed jointly by minimal funds from the Government (reduced by Republican administrations again and again starting in the reign of King George the First) but largely by wealthy sponsors, individual pledges and lately by bequests in people's wills. The Government has made no special effort to refund what was taken away.

              Were this in the golden years of King George the Second one might wryly ask "Why do you hate Muppets?"

              I could never understand the defunding rationale nor the stampede by our so-honorable Congress to acquiesce. Was it because the puppets could read and urged others to learn to do it every day on that subversive leftist channel?"

      2. strum

        Re: Register needs an alternative funding model and #MDFC

        "You cannot hope to bribe or twist

        Thank God! the British journalist.

        But, seeing what the man will do, unbribed,

        There's no occasion to."

        1. gazthejourno (Written by Reg staff)

          Re: Re: Register needs an alternative funding model and #MDFC

          Yes, we all take bribes/worship St Maggie/venerate the ground that the Holy Saviour Murdoch walks upon here at El Reg. We also moonlight at the Copenhagen Zoo murdering giraffes and feeding them to the lions. I also personally went out of my way to grind my feet into the faces of the needy as I breakdanced my way to work across the malnourished stomachs of local tramps.

          1. Trevor_Pott Gold badge

            Re: Register needs an alternative funding model and #MDFC

            Wow. And here I felt bad because I only paid the Timmies hobo a buck fiddy this morning.

            I need to get a lot more evil.

  2. Flat Phillip
    Black Helicopters

    wget - The hackers friend

    First Manley, then Snowden used wget.

    Obviously this "wget" program is a malicious hackers tool that can only be used for evil. It must be placed on some register or something. The authors should be immediately checked and questioned for any anti-patriotic thoughts.

    At least he didn't use surfraw. Now THAT would of got them excited.

    1. Anonymous Coward
      Meh

      Re: wget - The hackers friend

      The author is Croatian, so I suspect and hope he's not terribly concerned with whatever a certain species of American thinks patriotism means.

    2. DAN*tastik

      Re: wget - The hackers friend

      That would *HAVE* got them excited.

      1. Flat Phillip
        Headmaster

        Were's you're icon?.

        Thanks, I get that wrong about 50% of the time

    3. charlie-charlie-tango-alpha

      Re: wget - The hackers friend

      I have deleted all copies of wget from all my systems.

      Honest.

      1. Flat Phillip

        Re: wget - The hackers friend

        They have the ftp server logs showing you downloaded wget stored somewhere so deleting wget just means you're guilty and trying to cover your tracks.

  3. Anonymous Coward
    Coffee/keyboard

    I wonder if he even had to use --no-check-certificate

  4. Wzrd1 Silver badge

    So, every intelligence agency in the US was lambasted for not sharing information before 9-11. So, they were ordered by Bush to share information freely.

    Now, they're criticized for sharing that information.

    But then, the press has an extremely short memory.

    1. Bluenose

      I think the idea

      was to share with other govt agencies not to let some bloke pick and choose the most embarrassing intel to share with the media.

    2. John Smith 19 Gold badge
      Unhappy

      @Wzrd1

      "So, every intelligence agency in the US was lambasted for not sharing information before 9-11. So, they were ordered by Bush to share information freely.

      Now, they're criticized for sharing that information."

      No. That is external sharing with other agencies.

      This is internal sharing.

      And just like IRL "over sharing" is not a good idea.

      1. Anonymous Coward
        Anonymous Coward

        Re: @Wzrd1

        No. That is external sharing with other agencies.

        Look up sarcasm. It'll help.

        Wzrd1: nice post. I got it :)

  5. Anonymous Coward
    Holmes

    The media misses the main point

    For every Snowden handing documents to the press, there's probably 50-100 "contractors" who were downloading and selling the same stuff (or worse) to Iran, North Korea, Russia, etc...

    The fact that it was this easy nearly guarantees that unscrupulous people with access would have decided to make a few bucks off the data.

    1. solo

      Re: The media misses the main point

      I would take this further that even Chinese and Russian spy networks seems so vulnerable after this.

      It's high time they all dump their politically correct data in community servers to save face in case of future leaks.

    2. Anonymous Coward
      Anonymous Coward

      Re: The media misses the main point

      My thoughts exactly. If they've really made it that easy, there has to be a whole slew of people quietly padding out the retirement fund, and given what the NSA have been poking around at, there must be a load of business outlets for the data too without squeezing the Norks (sorry...) for cash.

  6. Joe Montana

    Vulnerable behind the firewall

    Most organisations are like this, they use the firewall as their one and only line of defence against external attack, and do absolutely nothing about internal threats. Once you're behind the firewall at 99% of organisations you can rip through the network trivially.

    1. Anonymous Coward
      Anonymous Coward

      Re: Vulnerable behind the firewall

      And as someone who ran pen tests against both a large government office, as well as a defence contractor I can back this up - anecdotal, but my report and recommendation appear to have spread rather further (along with some very nasty remarks from our initial subjects on the basis that it was 'unfair')

    2. Anonymous Coward
      Anonymous Coward

      Re: Vulnerable behind the firewall

      ICBM-sites are exactly like that too, only the tech is older and more specialised!

      Back in the day, one heard some pretty scary anecdotes about the consequences following from the unique military approach to safety: That the desired Fail-Safe State for an ICBM system is LAUNCH.

      Many operators had (and have) spent the many hours of pure boredom working out ways to launch "their" missiles without the authorisation. In the same way today's BOFH's have worked out in detail how to wipe/corrupt/"steal" all the data in their networks. "Rightful Vengeance" is a nice fantasy.

    3. Anonymous Coward
      Anonymous Coward

      Re: you can rip through the network trivially.

      Especially when you're the system admin.

      Look, I'm not claiming this makes any sense, this is just the way the US government works at the moment:

      Feds don't get their fingers dirty assigning permissions to access databases or file structures. They assign that work to cleared contractors via some authorization system. Which means the contractors likely have even more access to data on the systems than they fed handing out the authorizations. And that's a low level sysadmin job in the US.

  7. John Smith 19 Gold badge
    Unhappy

    It's not exactly Mission: Impossible is it?

    Still you could say since they are so keen for Joe Public (and I mean everywhere) to share their data with them you shouldn't be surprised their so keen to share each others stuff, right? Us spooks have no secrets between each other.

    But the fact we're talking about 1.5 million documents suggests there could be even juicier items in the list.

    Perhaps something so infuriating to the Legislature they might actually (IDK) exercise some knowledgeable f**king oversight for once.

    Just a thought.

    1. John Sturdy
      Black Helicopters

      Re: It's not exactly Mission: Impossible is it?

      The problem with this is that the better they are at keeping secrets, the harder they are to oversee. Done properly, security in such agencies should keep data compartmented so no individual can see data from divisions other than the one they work for, other than by special arrangement.

      1. Anonymous Coward
        Anonymous Coward

        Re: It's not exactly Mission: Impossible is it?

        But what happens when data from more than one division is needed? And what about people who oversee multiple divisions?

      2. Tom 13

        Re: so no individual can see data from divisions other than the one they work for,

        Except we determined that was exactly the problem with predicting 9/11 and so changed that fundamental premise of intelligence work. The data is supposed to be freely shared internal to the agency, just not the means, methods, and assets used to collect it (or certain data that would reveal means, methods and/or assets).

    2. teebie

      Re: It's not exactly Mission: Impossible is it?

      Mission: Inevitable?

  8. Trollslayer

    It's a people problem

    Arrogance and, in the end, boredom and laziness. That is what enables social engineering attacks.

    People have walked into NSA buildings without having to show ID on occasions.

    1. Nick Ryan Silver badge

      Re: It's a people problem

      A clipboard is usually all the ID you require. Or failing that, just boldness as in "looking like you should be there".

      1. John H Woods Silver badge

        Re: It's a people problem

        "Access all areas" costume:

        0) Attitude

        1) Dark suit, smart but not too sharp, with boring tie

        2) Clipboard

        3) Credit card sized photocard on lanyard

        4) High Vis Jacket

        5) Hard hat

        I reckon you can get into anywhere if you have all 6.

        1. charlie-charlie-tango-alpha

          Re: It's a people problem

          Plus 1 for that.

          In the UK, the police call the "high vis jacket" the "cloak of invisibility". Wear one and no-one looks at you.

        2. Richard Taylor 2

          Re: It's a people problem

          Actually, better than that. Vey presentable lady (sorry lads but it's true) carrying Struggling with) a large pile of papers gets someone through many 'security' doors.

        3. Tom 13

          Re: I reckon you can get into anywhere if you have all 6.

          Extra bonus points if you are visibly wearing an ear wig with no visible radio on your belt.

      2. I. Aproveofitspendingonspecificprojects
        Boffin

        If everyone used clipboards

        It would be difficult for other people to infect Iranian centrifuges.

        However if some of the secret data on the NSA servers could only be run on a certain type of hardware that was only available surreptitiously on a certain black market for certain non aligned persons...

        And a friendly neighbourhood subcontractor was known to be helping them with their enquiries...

        Say no more, say no more, nudge, nudge, wink wink.

        Is there a "WTF am I talking about?" icon?

        Ah yes.

        Got it.

        Edit:

        Yes, I know it is more likely that they infected the site directly from the link to everywhere included in the region that they patched into a few years ago when that pair of glass cables either side of the middle east went tits up due to scrap copper/thieves dropping the anchor on them.

    2. Javapapa

      Re: It's a people problem

      Twenty five years ago a friend of mine worked at NSA headquarters, guards carried M-16s, not just sidearms. I asked him what he worked on, knowing he had a degree in math and had done device driver programming at a previous employment.

      "I can't tell you".

      So I suggested he coded Fast Fourier Transforms to pluck keywords out of the signals captured by the Echelon satellites. His eyes grew wide and asked "What do you know?"

      "Nothing beyond that, but thanks for confirming."

  9. T. F. M. Reader

    RTFNYTA?

    "If a report published in the New York Times is correct, all Edward Snowden did to create his library of thousands of classified documents was run wget in recursive mode, and let it grab whatever documents were visible from his machine."

    Hmm... I actually clicked on the link to the NYT "report": it specifically states that while "then-PFC" then-Bradley Manning used wget Snowden used some unspecified but more powerful "web-crawler", whatever that was, that "functioned like Googlebot".

    It is certainly provocative to El Reg's audience to attribute the haul to "wget -O -r" (actually, probably "wget -x -r"...), but this is not what TFA says. Sloppy...

    1. charlie-charlie-tango-alpha

      Re: RTFNYTA?

      Journalistic licence. And in my view, not unreasonable. When I read the original article last night, my immediate conclusion was "wget".

      But whatever the tool, the principle remains the same. An NSA insider, and a contractor to boot, was able to recursively scan and download a bucketload of highly classified documents, including documents from a Five Eyes partner, without any effective alarms going off.

      That says an awful lot about the effectiveness of the NSA's security practices (for both technical and personnel security). No wonder they are pissed off.

      1. Will Godfrey Silver badge

        Re: RTFNYTA?

        It is better to be pissed off than to be pissed on

        ... which I rather suspect is what all us real people are currently suffering.

  10. Anonymous Coward
    Anonymous Coward

    Snowdon, your fantastic!

    Hopefully, one day his integrity will be rewarded... though I doubt it.

  11. Elmer Phud

    Raindrops

    It's no surprise that governments love the idea of clouds and only net access for everything, it makes life so much easier.

  12. Stevie

    Bah!

    Nice ducky logo. The rest of the article would be read with an extremely skeptical eye had I not actually lived through the time when it all happened.

    Attention credulous saucer loons: Do you still believe, given the epic levels of incompetence evinced by the No Sugar Added brigade in their supposed area of expertise, do you *still* think that someone could have hidden all evidence of UFO landings from the public? For over 60 years? Honestly?

    1. Bloakey1

      Re: Bah!

      <snip>

      "Attention credulous saucer loons: Do you still believe, given the epic levels of incompetence evinced by the No Sugar Added brigade in their supposed area of expertise, do you *still* think that someone could have hidden all evidence of UFO landings from the public? For over 60 years? Honestly?"

      I agree. they could not hide the fact that there is no God for a few thousand years either could they?

This topic is closed for new posts.

Other stories you might like