NSA's Christmas Eve confession: We unlawfully spied on you for 12 years, soz Slipping out unpleasant news at awkward times is a well-known PR practice – but the NSA has excelled itself by publishing on Christmas Eve internal reports detailing its unlawful surveillance. The agency dumped the docs online shortly after lunchtime on December 24, when most journalists are either heading home to their …
Should he ever post here I'd give him an upvote.
No chance of it happening I know, but we all owe him a debt of gratitude.
Well done the ACLU too for following up, without someone following up the information would gather dust and be forgotten.
And thanks to El Reg for the story, I doubt the mainstream rags will give this much space.
Should he ever post here I'd give him an upvote.No chance of it happening I know, but we all owe him [Mr Snowden] a debt of gratitude. ... Keef
Methinks there be every chance of such happenings on El Reg, Keef, for don't you now, there is far more going on in the hearts and minds of its engines than is being fully and clearly reported and suitably enough dumbed down for Main Stream Media Engagement and Presentation. But such a division and underground movement with novel transfer of intelligence and transmission of information and which always creates considerably smarter and designedly secure and quite secretive controlling elite forces, is only natural and revolutionary disruptive and which can also be creative and evolutionary destructive, and at the same time too. Quantum Communication is like that ..... Infinitely Flexible and Accommodating of Prime Produce to XSSXXXX/Super Sublime and Stealthy Secret Intellectual Property ..... and easily made readily available to all on Strictly Need to Know Bases.
Count my gast as flabbered as well. I always thought that, in such organizations, every file access was logged, every action taken by anyone was controlled and logged, and everything had to be done by the book or you had the book thrown at you.
The reality is that the NSA appears to be a vast group of buddies all aware of what they shouldn't do but without any active measures preventing malfeasance. The employees have their access to something terminated only when somebody finds out that they've been using something they shouldn't have.
Sorry ? If they shouldn't be using something they why the bloody hell can they access it in the first place ? I seem to remember, in the many Clancy novels (and others) that I've read, that the CIA had security so tight that if the Director himself made a mistake entering his password, security agents would come barging in, guns drawn, to make sure things were all right. Accessing the wrong file would not get you terminated, it would get you a personal session with the interrogation chair - then you'd be terminated.
I can see where I was wrong. I thought I was reading fantasy stories based on realistic people and organizations. I see now that I was reading fantasy stories based on realistic people and fantasy organizations.
No wonder the US military is easy to hack. If the CIA/NSA/Homeland Security use the best people and can't set up proper internal security worth beans, then obviously the military won't be able to.
I always thought that, in such organizations, every file access was logged, every action taken by anyone was controlled and logged, and everything had to be done by the book or you had the book thrown at you.
Historical accounts such as Inside the Puzzle Palace suggest that at one time IT access in the TLAs was much better controlled - that systems had to have one of the higher Orange Book classifications, that Mandatory Access Control was used (as opposed to Discretionary Access Control)1, that auditing was much stricter, that data-destruction rules were tighter, and so on.
The common theory seems to be that as commodity hardware and OSes became more powerful, the huge savings in equipment, software, and training that could be realized by dropping the special-purpose stuff and switching to COTS components was compelling for the agencies. They couldn't, or didn't try to, justify buying high-security systems when they could claim that (modified) COTS systems were mostly just as good. And that became a slippery slope to using DAC rather than MAC, not policing user access and privileges sufficiently, failing to update policies when new machines were added to the network...
The fact that Snowden was able to get all the material he's released shows that the NSA long ago dropped the ball on IT information control within the organization.
Add to that the burgeoning police state and concomitant increase in the number of people with high-level clearance (5.1 million with clearance, 1.5 of whom are at Top Secret) and the whole thing is just completely out of control. The system is ripe for abuse, there's ample reward for abuse (even simple curiosity is often sufficient2), and partly because it's so widespread there's little or no penalty for abuse.
1An anecdotal example is the "Amyl Fax Shuffle Time" joke-hack story related in Karla Jennings' The Devouring Fungus. I'm not making that up.
2If you're friends with a police officer in the US, ask him or her how many times they've known a colleague to run a background check on a romantic interest, or an ex, or a celebrity. Of course your friend never does this, but some of those other folks, eh?
Curiosity and taking advantage is part of human nature, its a drug, and this type of data is the ultimate virtual "crack". The first time an analyst does a personal-related search, its curiosity. But by then its too late and the person is hooked.
Whats even more worrying though, this often (though unintentionally) creates a vicious cycle, leading from curiosity to paranoia, they then try to use this as a tool to control a person or circumstances.
Oversight cannot work - whilst this type of power is accessible to humans, it will always be abused...
Terminator, maybe the machines might be the least evil option!
Would be to use the same data-mining they use to look for 'criminal associates', to build a web of contact each of their agents might possibly know - and then block (or flag) any data linking these people to queries from their account.
Still, as they managed to not do this for a husband, this is clearly beyond their abilities or inclination.
Total agreement with you, it is largely down to the person to make their decisions, 'from the get go'. I said that the Snowden affair highlighted a total breakdown in the recruitment of staff. I am not talking about trying to track the wrong person, the internal; processes should and must prevent that and there are (well used to be) established ways to minimise that particular snafu. They are process errors and the processes need a kick in the rear to improve them - oversight can help with that matter.
However staff who are happy to 'go rogue' are another matter all together. They sacrifice the job and threaten a wide audience while on their personal vendettas, not just because they miss what they should be doing, but because they smoke screen the operation and thus prevent any sight, not just oversight of what should be happening.
No organisation is ever perfect but it feels as though some have a huge backlog to recover - I wonder how many if any of the present staff should remain employed at all let alone remain employed after 'retraining'.
"....Oversight cannot work...." Er, except in the cases in the report, where the unauthorised accesses were detected? TBH, if the worst case Iain could find in his hyperventilating attempt to build this molehill into a mountain of intrusion was a woman spying on her hubby, it does beg the question what is new in the report? So-called 'love-int' has been commented on before, it is hardly the 'dire and terrible intrusion into all our lives' that some people with ovine behaviour have insisted is happening, is it? It seems some people are just determined to think the worst of the NSA and seize on any tiny issue as though it were some murderous conspiracy against us all.
Oversight is primarily meant to provide a deterrence, through people knowing that their actions will be audited, that clearly is not deterring enough (Given the gravity on the data being dealt with). What happened next, the people got a slap on the wrist and told not to do it again.
Also they've detected 1 or 2 cases, Wow the NSA chucked a "bone" to the public to show they're not perfect, but they do a reasonable job. The NSA has thousands of employees, this would be just the tip of the iceberg - What would be more interesting to know is how many cases that
a) Get swept under the rug by colleagues and immediate line managers
b) Get reported under misdemeanors
c) Go completely unnoticed
I don't think the worst of the NSA or any of the security services, I have respect for the job they do - But the people who work there are not super-human, they don't suddenly ascend above normal impulses to take advantage of tools given to them. Its like giving the bank vault keys to a bank robber, then telling him not to take anything..
It's no different for governments either.
They may well have built the systems with a genuine interest in terrorists, nuclear proliferation and so on. But once they have the power, they just cannot resist seeing what their friends are up to as well. And before very long, they're using it for domestic surveillance of environmental protesters, civil rights groups and occupy wall street type movements.
This is what happens when it's all done in secret without proper oversight, and anyone who blows the whistle is pursued as a terrorist and traitor.
That would be long* before the three martini lunches start.
*for small values of long. I've never quite figured out when or if they actually ended. Perhaps it's more a buffer space than an actual single event. Dear $DEITY! I've just realized a pub is just a TLB for people!
There has to be a reason why the majority of our 535 'democratically' elected 'representatives' in Washington, DC are lapdogs for the NSA. Of course, we (the public) will never know the truth since the shining examples of shadow government surveillance abuse are redacted by the guilty to protect the guilty.
Given that the documents were made public under a court order sought by the ACLU, it is quite certain that quasi-official public record publications such as the New York Times and Washington Post will have been notified as soon as they were posted. Whether those publications would publicize them beyond the NSA web pages is another matter, which might best be taken up with their editors.
I received notification in an email from Reason magazine.
That said, the reports do not appear to show systematic intentional violations of law or regulations. Nearly all of the errors in the two (2Q13 and 1Q12) that I have looked at appear to result from incomplete knowledge of the regulations, incomplete knowledge of the facts of a particular situation, or more or less random errors of execution
It would have been nice to know the final disposition of the case in which an analyst inquired into her husband's activities, but the reports at hand unfortunately do not appear to contain follow up information about incidents not completely resolved in a previous reporting period. It might be worth mentioning, though, that in similar cases reported in years past in the news media the usual outcome was termination of NSA employment for civilians and transfer of offending military personnel out of the NSA.
I cannot agree with you.
Incomplete knowledge of regulation from an employee of the NSA is a frightful thought in itself.
As for "random errors of execution" (nice euphemism for personal vendetta, by the way), the problem is not the error in itself, but that the error is possible in the first place.
As redacted as they are, these documents demonstrate that the NSA has next to no internal security which would serve to prevent these "errors" happening.
What should exist is a system that monitors all file access, checking to see that the person accessing the file is authorized to do so, forbidding access and logging the act for disciplinary measures if not.
The "regulations" they are speaking of are so voluminous that there is no human being that can comprehend or memorize all of them. You might be able to comprehend PART of them but not all.
These "errors" as you put it are simple human failings, something that happens everywhere.
No system is "perfect", nor is any human being. The sooner you understand that, the better.
...but basic 'data protection' guidelines, i.e. only access or process data for the purpose intended and in line with your allocated duties, is very simple, 'page 1 of the manual' stuff - no great understanding or detailed knowledge required for this.
How many trials that resulted in a guilty verdict have used that illegally obtained data?
How many trials in the future will use that same data 'to show a history of illegal activities'?
The Lawyers involved in any of the above may well be not on holiday like the hacks.
The gold standard on blog dissection of NSA & other gov releases and decisions for snooping, detainment and torture details from a legal view remains Marcie Wheeler - in this case parsing the implications for the dragnet:
https://www.emptywheel.net/
Her latest post isn't as exciting or maddening as many in her archives, but probably stuck in the rum & plum pudding as well - by New Years, I'm sure she'll have dug out a few more gems from the doc dump.
There are all those snoops that were not noticed by anyone. It would be naive to assume that NSA auditors/... were able to catch them all.
We have been shown reports of a number of violations. I would not be surprised to learn that there were many more but that the NSA 'fessed up enough to make us all tu-tut and be satisfied that they have told us all that they know ... but the real number known internally is what ?
The NSA has been shown to lie in the past, we would be naive to assume that this is the full truth.
Seems like the French don't want to be left out. The current parliament just gave internet users a blanket surveillance law (passed on Christmas Eve no less). No accountablity, no warrants, no need to explain which branch of the government needs the information. Nice. It's about as close to tech martial law as you can get.
Not many news feed are picking it up, but the French commentards on the site are about 99% livid and anti. Check it out (in French)
http://mobile.lepoint.fr/chroniqueurs-du-point/guerric-poncet/le-cadeau-de-noel-du-gouvernement-aux-internautes-la-surveillance-26-12-2014-1892495_506.php
Small correction, which actually makes it worse. What actually came out on Christmas eve is a "décret d'application" - a regulation issued by the government under the previously enacted law. And it gives sole authority to the Prime Minister to allow surveillance requests from a whole bunch of different branches of various ministries. Pretty lamentable, and would have been very acceptable to the ancien régime before the French Revolution. Charles I of England would have found it handy, too.
In fairness though there are a few of the commentards who defend it, being worried about home-grown jihadis.
Being French myself, I well know that my people are very interested in American fads and adopt them all with gay abandon (whether they are good or not).
We had Halloween stomp its way into our stores a decade ago, but that seems to be wearing thin now (this year no costumed kids were ringing doorbells any more in my village).
<cynical rate="maximum">
It is only natural that we see this new and exciting Internet Surveillance thing and wish to adopt it in our own way, and our Government, knowing just how enamored we are with all things American, has gone above and beyond itself to please us for XMas.
</cynical>
<snip>
"<cynical rate="maximum">
It is only natural that we see this new and exciting Internet Surveillance thing and wish to adopt it in our own way, and our Government, knowing just how enamored we are with all things American, has gone above and beyond itself to please us for XMas.
</cynical"
Ahh but Pascal, the mere fact that the government has to enacts laws to do it, infers that they are not involved up to their eye teeth in it like the British. the Brits spying on the Yanks, the Yanks spying on the Brits and both making data available for the other side's use. Very cosy indeed.
As for adopting US customs, the rot started with "Quick" and when I was in the 'army' a lot of our vehicles were old American stuff such as Simca's etc. At least we had our own caliber of weapons in the venerable 7.5 mm.
Yep, freaking scary, and as "Le Point" pointed out, "it's not excluded some extremist leaders thank Valls tomorrow, for putting such a handy tool in their hands"
Valls is, to me, a complete nutter who wants his name amongst the "tough" leaders. He'll probably join the darkest names in french history ...
Any french citizen should from now, start using TOR for any web browsing.
The amoral scum inhabiting the doughnut in Gloucestershire as well as those at Bude and Menwith Hill will never be forced to drop their pants as far as this.
That's because their oversight committees, especially the former minister, are as culpable as anyone.
...is the world a better place because some ass clowns now have access to old data? The fact is the world is not better off. In fact the world is much worse off now that Snowden has compromised numerous security systems that are used to protect the ass clowns of the world, which is the majority of naïve, gullible fools in society.
And I am guessing your initials AC stand for exactly that: Arse Clown!
Governments are supposed to be FOR the people; in other words they are secondary, the people are the nation and they vote and pay for the government to manage infrastructure for them.
You Sir are definitely an arse or an arse and a troll.
Offhand I can't think of anything a government can and should be doing that the people should not know about.
"Follow-up checks found another nine analysts who were doing the same thing, and all had their access to that data revoked."
That is key.
There *is* effort to abide by the law, despite abuses.
There is also another, rather annoying culture in the US DoD. That of advising, suggesting, ..., finally enforcing the law and regulations.
Case in point, a peer in Information Assurance (see Information Security) did repeatedly scan the network computers, including client computers, for "kiddie porn". That is something worthy, if it was part of his, or my job. It was not. We could only scan for that which we were ordered to. Said orders were "washed" through an attorney conversant with things military and things Constitutional (OK, it was a military attorney at law). Believe it or not, the US Constitution *is* in force, save in very, very, very narrow areas. *That* is in question on NSA activities, well, in the US or in regards to US citizens, the US Constitution does not protect foreigners abroad, ratified treaties do, find them, offer them and follow through to ratification or shut up. Ratified treaties are the law of the land, per the US Constitution.
Which is why I've *always* objected to torture, but that is wild afield here, just intercepting so me objections.
This proves to be an abuse of office by junior employees. I'll even admit to some abuses to see pictures of my grandchildren, while I was deployed and said parents refused to e-mail imagery, but "ordered" me to join FaceBook. I did, under duress. I accessed the imagery via secondary means, as malware was well established on FaceBook at that time and the risk was beyond objectionable to me.
Welcome to the real world, where balances are established, but rely upon young people to act mature, with somewhat predictable results.
The predictable results being revocation of access.
What is annoying is, the time taken to take action.
My teams revoked access against an unconstitutional search for "kiddie porn" by a mid level Information Security analyst after two attempts, his third being blocked and termination of access initiated, alongside disciplinary measure efforts.
The contractor sent him to an Iraqi base that was closed quite soon after his arrival, rather than go through the annoying efforts of defense or trial in civil court.
I've not tracked him since.
He was "good", otherwise, he was a village idiot in terms of boundaries.
<snip>
"Which is why I've *always* objected to torture, but that is wild afield here, just intercepting so me objections."
<snip>
What Ho Wiz.I say old chap, I do not quite catch your banter. Are you saying "I can't be dealing with this bally water boarding, just because some asiatic chap caught a wispy, rolled over on his Betty Harpers and caught his can in the Bertie"? or would you prefer "sausage squad up the blue end"?
Therein lies the dilemma old son, therein lies the dilemma.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
