Simple, logical and exactly what any computer criminal would do.
Except of course for the Govt pension.
Staff at the United States' National Security Agency reportedly “hunted” system administrators because they felt doing so would yield passwords that enabled easier surveillance. So says The Intercept, which claims this document came its way thanks to one E. Snowden, late of Moscow. The document is apparently a lift from an …
Except of course for the Govt pension.
Whilst a revelation to you, or maybe not I guess you do say 'Simple and Logical' ... this is what the NSA do. There is no implication in the article that this is anything other than targeted surveillance why do you imply that the 'NSA agents' are doing anything criminal?
The entire revelations could be summed up as "We want to spy on people and seem to have unlimited budget and nobody's going to stop us - what d'you think we should try next?"
I can actually imagine NSA (or GCHQ) agents reading that one shaking their heads and saying 'if only'...... Unlimited budget - try reading something of the economic figures in the last year or two.
Intriguing point.... are NSA using honeypot traps to compromise sysadmins? Has there been an uptick in lonely sysadmins being inexplicably approached by supermodels-in-distress who are SOOOO attracted to our lonely, manly heroes?? Are there a new and unprecedented job perks to being a sysadmin?
Inquiring minds want to know
I have maids (no, not the house cleaning sort, the Akiba sort), to fulfil that particular set of fantasies.
It happened to me the other day. I turned her down because she wasn't a red head.
ARE YOU READING ME NSA? I WANT A FUCKING RED HEAD!
With apologies to Guardian readers for the misogyny and the sexist implication that all sysadmins are heterosexual adolescent virgins who are just gagging for it. But, y'know, there's no joke without that. And after reading the comments on this place, I'm pretty certain it's true.
@BAG - I think you'd better specify to the NSA that you mean a "redhead". You definitely will not like it if the NSA give you a "red head".
Oooooooo f**k yes mmmmmmm. I did a long time ago watch a government information film 'It could be you' and no before anybody asks not at any of the aforementioned agencies.
All I can say is "it never has been .. in-spite of bloody well wishing it was". FYI the Cold War wasn't all bad.
Minor correction to the apology to Gruniad readers ... that should I suspect read 'all sysadmins are male heterosexual adolescent virgins'. If it was all genders of 'heterosexual adolescent virgins' the world, indeed the IT world, would be a much happier place.
Personally I think we need to encourage more heterosexual adolescent virgins to choose a career in tech.
(If nothing else, it might finally wise up the do-gooders to the actual reason why they've never been able to encourage more women to choose a career in tech.)
I have a theory on that one ... "Woman are far too sensible to aspire to a career in IT"
"heterosexual adolescent virgins"
Well, correct on no accounts, but as I get older, it'd be nice to wind the clock back sometimes.
Also, I think you've come to the wrong place for those types.
"There is no implication in the article that this is anything other than targeted surveillance"
Yeah, it says right there that they identify a target on the system... and then they go after their sys admin in order to breach the entire network. So in their own words they go after the suspect by first of all spying on the innocent sys admin.
Yup. Whether you agree with the NSAs actions or not , you can't fault their logic.
I am wondering however when Snowden is going to reveal all about the KGBs nefarious activities and warn us about the creeping power of the Russia state. I mean he will do that won't he? He's not just a stinking hypocrite who's gone over to the enemy to save his own skin while covering himself in some virtuous mantle of the Peoples Hero is he?
As far as I'm aware, despite recent worsening of relations, Russia is not currently "the enemy". They're just a country that isn't in the US government's pocket, which is exactly what a fleeing whistleblower needs. Also, the KGB doesn't exist anymore. And if you seriously think Russia would give Snowden access to their current intelligence agency's network, you're nuts.
"As far as I'm aware, despite recent worsening of relations, Russia is not currently "the enemy""
Not exactly friends though either.
"They're just a country that isn't in the US government's pocket, which is exactly what a fleeing whistleblower needs."
There are plenty of countries not in the US pocket , he just happens to choose russia. Interesting.
"Also, the KGB doesn't exist anymore"
Aww bless, so naive its almost touching. If you think there's any qualitative difference between the KGB and the FSB then you've got sucker stamped all over your forehead. Also FWIW the KGB still exists in Belarus under the same name.
"And if you seriously think Russia would give Snowden access to their current intelligence agency's network, you're nuts."
Of course they wouldn't - but wouldn't a peoples hero like him who is supposedly soley interested in showing up governments for what they really are go and try and find out some information anyway? It would be a risk but what does that matter when Freedom and Justice (tm) are at stake?
The lopsided negative thumbs here simply reflect the resistant mindset of 97.775 of the naif posters here who need lots more exposure to the real nasty outside world of our Muslim enemies' designs on the rest of us. They [the posters here] willfully ignore today's stark reality. The posters here are strident ostriches with colorful feathery tails in the air.
What's of interest is not the contents, but the addresses of the senders and the receivers of emails.
Because, at lest here in America, post our being so bloodily attacked in 2001, we have the vigilant C.A.I.R and the A.C.L.U. who shriek, "Racism! Prejudice! Profiling!" at every scented provocation and they're very adroit at their "lawfare", so....Grandma with her colostomy must be groped along with everyone....everyone....at our airports to ensure that there is no "profiling". No one singled out. No bearded young, dark skinned Muslim male nervously fingering his prayer bead strings in the check-in line run the risk of having their feelings hurt at being groped while so few others have that strange feeling.
This has been most appropriately called, "Political Correctness" here in our America.
Ask the Israeli's why they haven't had a hi-jacking since, I think...1968 or so. They....gasp!.....profile very, very effectively. How many posters here have checked in at Ben Gurion Airport?
The same thought process applies, in due course to our Internet. Gazeeeeelions of emails and Twitter-Tweets and such are scooooped up......
Relax, dear posters. No one really wants to actually...... see! ......those pics of your penises and testicles, but those who have the thankless responsibility 24/7 of keeping these literally explosive Muslims from blowing us up do indeed want to see messaged names and addresses. They have their lawyers, too, along with just about all of these pressure [ no puns] groups.
Try to care responsibly.
"Try to care responsibly."
That cuts both ways.
Nice post ... tongue in cheek but summarizes my opinions on these issues.
I am sort of hoping that the register introduces another badge for those of us with significantly more 'down thumbs' than 'up' .... the bronze is nice in that I don't encounter too much censorship. Kind of hoping for a black skull and crossbones next to the bronze. Other than that I post my opinion and damn the likes/dislikes.
....don't waste time here with commonsense replies. These parochial guys are only concerned with the 'privacy" of their pics of their genitals which they twitter and tweet and and they seem to be more concerned about potential hilarity resulting there than anything else.
Nowhere here do we read that the N.S.A. and the Brit equivalent are scooping up tons of uninteresting names and addresses trivia in our mutual war against our Muslim enemy .....what? ...a Muslim enemy?...where?......because of the very effective Muslim technique of lawfare and endless suits based upon cries of "profiling", prejudice", and racism".
Besides it gives these kids a whipping post. [Note: terrible pun alert....] for exercising their wit.
......"timed out", but here's the rest...
Besides it gives these wanker-kids a whipping post. [Note: terrible pun alert....] for exercising their wit. They've focused their tunnel vision only on the nitty gritty of their portion of the whole Internet aspects...the broader objective of rooting [pun alert #2] and squeezing out [ gasp!....#3] Muslim terrorism never enters into their "thinking".
We already knew that about russia, china etc.
Snowden is attacking the hypocrisy of the NSA in painting america as being different. They're not - they just pretend to be.
But haven't more americans been killed by americans then by muslims ? From the unabomber to the gun lobby ?
... don't use verifiable corporate or personal data on external networks.
It ain't exactly rocket science.
"... don't use verifiable corporate or personal data on external networks. It ain't exactly rocket science."
Does that mean you DIDN'T work at ARPANET in the 70s, or contribute to the Linux kernel? Just asking, because, y'know, that sort of personal detail seems quite verifiable not to mention exploitable with a bit of research.
Unless you generated an entire life story as a personal counter-intelligence and disinformation operation, in which case, KUDOS!
AC because, obviously no REAL, etc etc...
No, "AC 20 hours ago" (whatever that means, ElReg ...).
I am effectively annonymous (personally) when it comes to my work on ARPANET's NCP, then BSD and TCP/IP, and later still Linux. But my (different) handle for each is easily identifiable if you know me personally. Just like I'm "jake" (not "Jake"!) here on ElReg.
Back in the day, we knew the personal security implications implied in the then fledgling Internet, and we took steps to protect ourselves. Today's market-driven sheeple? They don't seem to want to hear it ...
Oh dear. You just used a word that triggers my automated psychological profiling system for posters. I wonder if you can guess which word it was, and, which folder it filed you in? Couple of clues, the word is in your last sentence and the folder is... an unusual shape for a folder.
I always considered folks like Tom Limoncelli to be a verifiably real Systems Administrator, or at least Google certainly seemed to think so. His book with Hogan and Chalup will always have a place on my shelf with respect to practical and common sense (not necessarily technical) aspects of the role that you learn only through bitter experience (or have other people learn for you and pass on their learned lessons).
Would a slightly more realistic stance be to perhaps say "Real sysadmins don't use verifiable corporate or personal data on external networks (that could be easily used to leverage social engineering efforts on the part of an attacker?)
When you are responsible for the security of a network, you do of course have a responsibility to ensure your approach to personal information is robust, and to engage in sanitisation of personal data that has potential for abuse. That should not come at the expense of honest social participation in daily life, physical or virtual, or in the building of relationships, business or personal online. In the case of the article subject, the NSA may be as dysfunctional, bureaucratic, and (in places) as incompetent as any large organisation but if they have a pressing need to find out who you are and a similar need to pwn your network, you can be sure they have the resources to do so.
"the word is in your last sentence"
OK, I'll bite ... My last sentence: "They don't seem to want to hear it ..."
So, your "personal profiling system" flies a flag ... where, exactly?
If he thinks the same way as I, the word was sheeple. Not the last sentence but telling enough.
Methinks the lack of ability to pass a correct pointer is even more telling.
Kids these days.
“My end target is the extremist/terrorist or government official..."
So perhaps now we know who the security apparat really regard as their enemies.
Either group could potentially threaten their cosy little world. One by blowing things up, the other by finding what is really going on at the likes of NSA or GCHQ.
I cannot see this as news to anyone except the hopelessly naive and dense. The NSA (like GCHQ, CSEC, ASD, and GCSB, and many others*) is a foreign intelligence agency, doing what such agencies do. It also should come as no surprise that foreign officials are targets - they were, after all the primary targets for such agencies before the moral panic over terrorism added that to their plates.
Contrary to the opinion of US Secretary of State (and War) Henry Stimson and apparently a great many members of the commentariat establishment, gentlemen do, in fact, read each others' mail. Or, maybe likelier, nearly all heads of state are not gentlemen and employ large numbers of non-gentlemen to assist them.
* Others include Subchefia de Inteligência do Estado-Maior de Defesa (Brazil), Bundesnachrichtendienst (Germany), and Directorate-General for External Security (France), to mention a few.
Re: tom dial's excellent thoughts.......
When I lived out in the Far East so many years ago we used to say of some of the locals that they had "tunnel vision". The best example of this is the waiter in a restaurant with a tray held high so studiously avoiding the raised eyebrows [or lifted fingers] of his other waiting customers vainly trying to gain his notice as he wends his way through his tables.
Such folks simply were not able to see anything not literally in hand, or in our cases here, at the ends of their fingers.
These contemporary lads here and now so feverishly dedicated to their computers are like the prostrated submissive figure before the looming monolith of a computer in Pat Oliphant's cartoon of some years ago. [ I don't know how to reproduce it here, but it's worth researching.]
What wondrous tools [apps] these supremely complicated machines present to us. But how parochial and limited in the daily nasty brutish and short business of our real World life so acutely threatened by our resident and subversive Muslim enemy is the approach of so many of the owners of the fingers typing their witty comments here. Their clever wit is an end in itself, but simultaneously being a demonstration a dangerously limited and naif view.
The intelligence agencies of all of the World's governments are dedicated to the protection of their perceived broad national interests. Crassly put, this boils down to National survival. This is true of the Chinese, Russians, the French and the Brits, and also of us Americans.
Our mutual enemy [believe it or not] of this century, these deadly and literally explosive and throat slitting Muslims infiltrated and embedded right here amongst us all....all of us.....need to be found out and their tool of communication is the Internet.
So I'd pose a question to these witty parochial posters here so adolescently rebellious against the NSA's of their own Nations what they'd do if they were saddled personally with the 24/7 responsibility of protecting their Nation? Critics ought to proffer well thought out solutions to deadly problems, not snarkisms du jour.
Don't consider myself overtly parochial, but I do have some suggestions:
I doubt that many throat-slitting, explosive fanatics will be effectively flushed out and countered by mass internet surveillance. If any are, it will probably be a stroke of luck. I am convinced that far too much money is wasted on hoovering e-intelligence and performing the inevitable needle in a haystack analysis that surely follows. If these methods were effective, there would probably be no more identity theft, on-line fraud, child porn, spam, or cyber bullying either.
I'd rather see the money spent on training elite anti-terrorist squads and proper counter-intelligence, education, propaganda and humint both at home and abroad. We spent trillions during the cold war to successfully prevent annihilation by foes a lot more existentially threatening than Al-quaeda. That doesn't make MAD the model to emulate for every security threat.
Nor does it mean there is no threat, just that we are not using the right tools to fight it.
BTW, for an interesting backdrop on what the "threat" actually looks like statistically, I recommend the following
Personally, I don't believe a sledge-hammer, hoovering approach is the answer. At best it is a distraction, At worst, it smacks more of a lack of imagination than a well-thought-out strategy for containing or eliminating a few thousand, fanatical, blood-thirsty, cave-dwelling sub-humans and their increasingly numerous supporters.
IMHO, one of the biggest problems the West has dealing with terrorism is this: Western democracies treat terrorists as if they were common criminals with legal rights. But, in fact, real terrorists are not common criminals at all, many are well trained in military arts and highly experienced at subterfuge, assassination and clandestine methodology. They are enemy combattants sent to infiltrate a hostile nation whose mission is to cause as much damage as possible before being taken down. In sum they are spies, saboteurs or enemy soldiers who have blended into the local population. They should be treated accordingly as per the laws of war. Targeting the local civilian population with dragnet thinking is not the best way to find them and is quite likely counter-productive.
Although it may be politically incorrect to say so, targeted military assassinations, racial profiling, and targeted surveillance (which doesn't require intercepting and analysis, even passive, of everyone's lolcats) remains the best defense, because the best defense is always a good offense. It might even yield real results if there are any to be had.
But as you rightly point out, airport security theater and grandma groping are the weapons of choice because they offend people's sensiblities the least.
So let's keep it simple:
Target terror suspects at home and abroad, make it unpleasant for people who preach death and destruction in their host or home country, cut off their financing, and generally make their lives as complicated and miserable as possible. Hound them mercilessly. Don't put them into our prisons to breed more converts. Make lawfare a potentially seditious and prejudicial activity with extreme consequences for plaintiffs, support groups and the attorneys who bring the suits.
Then we could transparently use national security to justify stamping out undesirable activity by hostile parties instead of using it to surreptiously justify mass surveillance against national populations. Al-Quaeda is not some enormous SMERSH-like organization with a massive state budget like the KGB had in the last century (even if some of these groups are well financed and organized).
Unfortunately, drone strikes (like missile silos in the cold war) are not winning any hearts and minds, and if anything they are making it worse. I'd rather see us import less oil, export less weapons, deploy less troops, deport more mad mullahs and make hashish and opium poppies legal. All of these would hurt a lot more.
If there is a cultural war on, then let's fight it, but using the weapons that best suit the threat.
And if there is a military or para-military war on, likewise.
No one (or very few people) were advocating clemency for captured German spies during WWII. So why should we feel bad for people who advocate the promotion of Sharia law in a civil society or promote ideas and practices that encourage people to attack our democratic principles and civil liberties? We shouldn't.
Instead, we should pack them up and send them home. If a few get guillotined when they return, maybe their followers will become better integrated in and more tolerant of the society they live in. Or perhaps they will go somewhere else. If civil liberties need to be sacrificed to make the world safe, perhaps we can be a little more selective about whose civil liberties are sacrificed.
I'd rather see a few innocents deported or arrested than constantly live in (and pay for) a world where everyone is a suspected or potential terrorist. Unfortunately we can't have total freedom and total security. So may we need to settle for a little more/less freedom or a little more/less insecurity.
Was that parochial enough?
May I offer to this discussion the "suicide" of the Vodafone’s - Greece, Network Planning Manager, Kostas Tsalikidis, after it was reveiled that the Greek's prime ministers, head of army etc etc (hundrends of key people) mobile phones were beeing tapped, by subverting the lawlful call intercepts?
The question is whether he killed himself for real (if he was indeed cooperating with some foreign agency) or whether he "killed himself" because he found out who has installed the root kit s/w. Access log files from the facility the code was installed was removed, before revealing the issue, by Vodafone management!!!
So a hero or a traitor? Anyway he seems to be one of the first real world kills in the cyberware game...
10 years ago these were regarded by many, especially those dont wanting to see the facts, as consiracy theories, after Snowden all this has changed.
Similair thing in Italy with the Telecom Italia phonetapping scandal. The 'security' team of Telecom Italia was caught spying on thousands of personalities in politics, show business and sport, using the infrastructure in place for lawful wiretaps. They used this to build dossiers on thousands of people for potential future blackmail. In typically incestous Italian style, they were current or former security operatives of Pirelli, who had common shareholders and directors with, among others, Telecom Italia and the football club FC Inter Milan. All the companies apparently exchanged favours between them, at the behest of some directors, for example it's well known that Inter president Moratti asked the security team at Telecom Itaia / Pirelli to investigate a referee that he thought had disadvantaged his team.
Adamo Bove, who was head of security at Telecom Italia, was found dead after jumping off a bridge, and there are plenty of theories that he had been "suicided". His deputy Giuliano Tavaroli was the main defendent in a mega-trial. Tavaroli claimed that all the interceptions were done on request of the business directors, but none of the 'higher-up' people were ever even indicted. Bove was the one person who could have linked the directors to the illegal wiretapping.
I'm afraid that I don't see the "scandalous indiscriminate collection of data on everyone" angle here. This looks completely targeted and 'normal' spying-type stuff.
Is the Intercept moving into 'releasing it just because we can' mode?
Definitely seems to be giving more credibility to the arguments of the anti-Snowden brigade...
"I'm afraid that I don't see the "scandalous indiscriminate collection of data on everyone" angle here."
What isn't clear about the ascertain that in order to spy on the target they seek to compromise the sysadmin and the entire network. That's like taking down a guy by first taking down his misses and then levelling the block.
What isn't clear about the ascertain that in order to spy on the target they seek to compromise the sysadmin and the entire network. That's like taking down a guy by first taking down his misses and then levelling the block.
Yes, that makes sense, if the point of spying were to destroy everything you come in contact with.
This is more like getting information on a guy by first getting info on his missus, and then staking out the places they go.
In other words, common spying techniques translated to a digital world.
And why would seeking privileged credentials be considered anything but normal behavior if you want information about or from a targeted system user (or in many cases, a number of them)?
Maybe that's why I keep getting invites to Linkedin.
If the Government actually came to most sysadmins, then they wouldnt need to do any of this bull shit.
Generally people like to help the police and, if legal, would bend over backwarks to give up all they can to help.
Generally people like to help the police and, if legal, would bend over backwards to give up all they can to help.
But that's the point, hardly any of this is legal, I can just see the conversation
GCHQ: Your servers may have some data regarding location of an individual
Sysadmin: Great, do you have any court papers?
GCHQ: No but if we find them we can gather loads of information for a possible prosecution
Sysadmin: Won't this action prejudice that evidence in court
GCHQ: Usually yes, but they and other persons involved or obstructing are going to be bundled into a container and taken to the middle east where the security services will torture the info out of them at the behest of the NSA, so that hardly matters.
Sysadmin: I see
GCHQ: Now, do you have that data...
Reading through the original document:
A thought strikes me.
The way that the writer describes how he managed to break into the Kenyan sysadmin's account reads like a "walkthrough" in a computer game. With no apparent concept of the ethical consequences for this, all the writer seems to be interested in is solving the puzzle. They seem to have no appreciation that this is *NOT* a game but real life.
This got me thinking about the mind-set of the people involved in this. They seem to be divorced from the real world in as much as they do not regard the people they are targeting as actual human beings, no, all these targets are is "a means to an end". They are focused on puzzle solving to the exclusion of everything else, in other words, the end justifies the means. And where have we heard that before? They seem to enjoy working with "sooper sekrit stuff" and regard having this access as a sign that they are better than outsiders. They are arrogant and have a high self-regard.
Finally, thinking about all this, I wondered how the people working at NSA, GCHQ etc. could be described.
All I could come up with was "sociopath".
This post is already too long so I will include a couple of the sites I checked to see if what I thought sociopath meant was the proper one.
Personally I think the second sums up my impression of these characters pretty well.
One final quote from the leaked document.
"We can't collect everything all the time."
Oh, but I bet that they wish that they could.
"the writer seems to be interested in is solving the puzzle. ...All I could come up with was 'sociopath'."
And is any top-flight IT bod any different? Listening to interviews with people from Bletchley Park tells us that the technical people DO view matters as puzzles.
We are puzzle-solvers. We view technical problems as technical issues to be fixed, not as moral quandaries. We rant about users. We view the end-user as an obstacle and dehumanise them. A new project is more of an opportunity to play with new tech and write code than it is about giving customers something. Those are more sociopathic reactions and behaviours than empathic ones.
These people aren't so different from any tech-obsessed sys admin.
Which is not a problem in its own right, PROVIDING that there is oversight.
I'm personally fine with our tech-spies being the same type of problem-driven, mildly sociopathic and autistic people as we employ in civvie IT departments, so long as someone is keeping an eye on them who is divorced from actual investigations and their goals, whose job it is to rap their knuckles with a wooden ruler when they go out of bounds. I daresay such people do exist somewhere, but I wish there were more of them and that their oversight was more visible and effective.
"And is any top-flight IT bod any different?"
No, probably not. I certainly wasn't when I was doing desktop support. The difference being when I was doing a visit I was all too aware that my problem solving had a human element to it, usually an irate manager or process working glaring at me asking when they could get back to work.
These analysts on the other hand seem to see their "targets" as abstract entities with no human association. Thus my description of them as "sociopaths", this being one of the defining characteristics of such a personality.
Puzzle solving is one thing. Focus on that alone with no appreciation of any consequences to the other party, quite another. But as they are probably not "US persons" it might not matter even if they did think about the human being on the receiving end of their efforts. Let's face it, anyone not such a "US person" is, as far as the US Government is concerned, not blessed with the human rights they alone are entitled to.
The biggest problem you highlight is oversight. I agree with you there, the authorities are failing miserably. It could be that they are unaware of just what is going on or they don't care so long as they get what they want from such organisations.
"No, probably not. I certainly wasn't when I was doing desktop support. The difference being when I was doing a visit I was all too aware that my problem solving had a human element to it, usually an irate manager or process working glaring at me asking when they could get back to work."
You and I have had the luxury of meeting our victims/customers. These guys don't, which immediately dehumanises the subjects of their enquiries to a degree. Compartmentalisation of information may exacerbate the situation, to the point that the IT analysts might not know anything about their targets, or why they are targets.
And although you had people skills, we all know tech support guys who have ZERO people skills, to the point where they aren't allowed to go to meetings or generally talk to anyone who isn't one of the IT Clan. And... those guys are very often the very best when it comes to solving the unsolvable. Ultimately that's why their bosses put up with their foibles and lack of social skills.
Ultimately, I don't believe it is the job of the end-operator to be making all the calls regarding morality and ethics. I know that's a bit of a shocking thing to say, but bear with me:
I want the very best hands on the keyboard/trigger/joystick that are available, and that often means that they belong to someone who society views as 'not normal' in some manner. (We don't all believe that our nations' special forces are marvellously well-adjusted and empathic people, do we?)
However, I want the moral and ethical choices to still be made - ideally by someone with some distance from the investigation, in order for them to retain perspective. I need those ethical choices and limitations to be drawn up in advance, for limits to be set, and for oversight and -if needed- clarifications to be made during the operation.
That way, we use the best tools and sharpest minds, but they aren't the ones making the ethical choices.
"Which is not a problem in its own right, PROVIDING that there is oversight."
That's the trouble.
They are doing what they were told by the people in charge.
The PIC's believe everything is justified.
I believe a psychiatric study of NSA management (and their political "masters") would be most revealing.
Which is of course why it will never be done.
fscked by SHA-1 collision? Not so fast, says Linus Torvalds