Snowden: Hey fellow NSA worker, mind if I copy your PASSWORD? Edward Snowden persuaded his NSA colleagues to hand over passwords which he later used to download top secret material and leak it to the press. According to a report on Reuters, the whistleblower cribbed login details from up to 25 co-workers, who have now all been questioned and moved on to different jobs. It is not known …
"The boss of GCHQ claimed to Parliament's Intelligence and Security Committee that Snowden's revelations had directly helped Al Qaeda"
Ok ... and 10 years ago we didn't know GCHQ were slurping data? We didn't know that the only way to protect data was to heavily encrypt? We didn't know that the US and GB were sharing anything they wanted, whenever they wanted? All Snowden has done is confirmed the bleedin' obvious - which is why bin-Laden didn't directly use electronic communication!
Snowden hasn't helped the US or GB by simply confirmed that "they've got their digital fingers in the till", that is why the politicians are not happy. If he'd have been al-Snowdenov and released al-queda (whatever that is) secrets he'd have been a hero ...
"The boss of GCHQ claimed to Parliament's Intelligence and Security Committee that Snowden's revelations had directly helped Al Qaeda"
He *claimed* that, but his actual observation is simply that they aren't talking as much as they used to. Perhaps this is because the ones who were just larking about have realised they are being eavesdropped and the only ones still talking are the ones stupid/dedicated enough not to care. If so, the disclosure has hindered Al Qaeda by blowing away some of their cover. We just can't tell. Come back in a couple of years with some stats about actual criminal acts rather than speculation based on volume of gossip.
"He *claimed* that, but his actual observation is simply that they aren't talking as much as they used to."
Remember, for that kind of role you need absolutely zero education or competence at stuff like gathering evidence, assessing it and drawing conclusions from it. In fact the folks who pay no attention to inconvenient stuff like facts and reality tend to do better at gaining those positions because they are able to tell people what they want to hear.
Ray McGovern has written about this lack of care and attention to reality on the part of intelligence officials and their overseers over in Leftpondia for several years now. The same seems to apply in Rightpondia as well judging by the rubbish we see the state owned media (aka BBC) parroting at the moment,
....'the idea that the guy in the next cubicle may not be reliable'.......Maybe they need to spy on each other more often? Sounds like the 'ultimate solution' doesn't it? They'd be kept busy with less time to spy on ordinary Joe, politicians, foreign diplomats, foreign corporations, OWS protestors....
Nobody is coming out of this with any credibility. Not the NSA who have their greasy fingers in everyone's privates, not the co-workers who were completely stupid to hand over their credentials, and finally Edward Snowden who it seems would quite happily fuck over his colleagues. I did had a lot of respect for the stand he'd taken, but that is gone now. You have to wonder what his colleagues had done to him to warrant that kind of treatment.
Guess, if you want to show the world what's going within the NSA, people want proof. Since he was only a third party contractor employee, he needs this info from his "co-workers". Can't really see why that is "fucking over your colleagues". Lets not forget those colleagues are/were the ones doing the actual spying on everybody. And I really can't have any warm feelings for those f*ckers.
Don't forget he said he took that job specifically with the goal of leaking information. So basically he was a spy. On the other hand, he also said one reason he came forward as soon as he did was that he didn't want his colleagues to get the blame for what he did.
"You have to wonder what his colleagues had done to him to warrant that kind of treatment."
Beside give him the keys to the kingdom, you mean?
How much can you decide to give when you decide to give all you can, your life included?
I'm reminded of the John Cleese/Ronnie Barker sketch from the Frost Report or TWTWTW:
Barker in pyjamas: "Come on, admit it. You're a burglar arn't you."
Cleese in striped vest and lone ranger mask after a long pause while he examines the options: "A bit."
I just heard from Adobe that they got hacked and lost all my data, the wankers. A while back it was Sony who got hacked an lost all my data, the wankers. Then TJX got hacked and lost all my wife's data. All "large corporations", I believe.
How do you expect ordinary users to understand and respect password security when their bloody employers can't even keep Boris the hacker from rummaging through their digital drawers with gay abandon? It's not that they TRUST the admin - its that they've all been reamed by some other corporation already, the NSA is buggin their phone and interweb and they know that password-based security is a facade.
I had an abrupt exit interview from a vendor of SANs. It was attended by 2 storage industry veterans, HR, and an IT guy. reclaiming my desktop and laptop. They were sorry that they could not let me take home my 2TB USB drive unless they deleted all the contents. Nothing on it that I needed so I agreed. They connected it to a Win laptop and pressed delete.
Then handed me the drive containing all the data on 2 unreleased products, totally recoverable with a simple undelete program. Mind blowingly inept.
...as a sysadmin, I could ask someone for their password. Alternatively, I could provision a smartcard with their certificate on, and use that to log on to the systems as them. I can do just as much as if I had their password. And they don't know I've done it.
The question is: how far can you trust me? Am I simply doing my job, seeing some things that perhaps I shouldn't have seen and keeping my mouth shut (both of which happen frequently)? Or am I a security nightmare?
Sure - Snowden probably didn't have the credentials I had, and thus, the point is moot. But, at some point, a sysadmin (of sorts) has to have access to someone's e-mail/files/etc. And if the sysadmin is rogue...
"Alternatively, I could provision a smartcard with their certificate on ..."
I am not sure that is possible in a USDoD agency for a lone administrator to do this. In the agency that employed me Common Access Cards are issued only in the security office, and programmable by equipment located there and online with a remote database that probably is used to verify the identity of both the issuing agent and the applicant; the processing would cancel the existing card and provision the new one with a new certificate. I believe the equipment used is physically inaccessible from the agency LAN. It is conceivable, however, that the old certificate revocation could be delayed for a short period, during which the authorized user would not be aware of the compromise. I am pretty sure that there was a hard line between those who could administer system and those who could issue CACs.
It seems doubtful that an SA would be able to generate a certificate, with the proper signatures, and install it properly to the network.
... of does this revelation change the dynamic of the story somewhat?
We no longer have the case of a sysadm who had the authority to see secret material based on the privileges he needed to do his job, and then 'liberated' that material.
We now have an individual who purposefully set out to gain access he was not entitled to. That adds 'breaking and entering' to the previous 'theft'.
"We now have an individual who purposefully set out to gain access he was not entitled to. That adds 'breaking and entering' to the previous 'theft'."
Only his name was George Bush and he was too damned stupid to get involved personally. And anyway it wasn't theft. They willingly told him everything he wanted to hear when he didn't really torture them.
1. If I tell someone I'm authorised to enter their house and they give me the key to get in - that isn't breaking and entering.
2. Theft is where you deprive the owner of something. He's perhaps stolen the jam out of their fucking doughnut, but he didn't steal the data - he made an un-authorised copy.
Perhaps they will accuse of copyright infringment next, although there are about 6 billion people who would make a counter claim I expect.
They arbitraged and lost. The zero loyalty disposable resource with access to long term security related data stood on its hind legs and asked: "what have you done for me today"?
Usually the question is silent and the so is the payment from the PLA or FSB or DGSE or ... You hear about Snowden because he did not sell out to the highest bidder but showed a streak of youthful idealism, ripping away the curtain and showing the greasy short fat naked bureaucrat warming his buns by the can with the burning Constitution, while spying on everyone and everything.
That's is the thing that scares me the most. Even if the NSA and GCHQ think they are doing this for your benefit who's to say that they are secure? The KGB were very successful at getting information from CIA agents and that was when we all thought it would be nuclear war without our spooks. The point is that checking staff when they come in is not enough. They need to be constantly supervised. What's to say that an NSA operative could not have his family kidnapped or had compromising photos taken off or something? It's really lucky that the ex-KGB staff don't work for the Russian Mafia or anything is it! Oh wait...
The story of borrowed passwords seems a bit at odds with the leakage of documents. The documents appear mostly or entirely MS Office documents, describing the data and operations, that would have come from the Windows/LAN environment normally accessible only with the help of a smartcard / PIN combination (administrators might have a passworded network login, but normally would use a smartcard like unprivileged users).
Username/password logins would more likely be used for non-Windows servers, which likely would be the ones storing operational data. Yet we have not seen such data released, so it is unclear whether the password borrowing allegations are in the class of unsubstantiated rumor or possibly a diversion.
A great deal more has been released than would have been necessary for Mr. Snowden to make his claimed point. If password violations are involved it is implausible that Mr. Snowden would not have dipped into the real data if he could, and one wonders when and to whom his handlers released (or will release) the operational data and method details.
Your also assuming the management don't put all the documents under the share/public drive but in a folder called "mine, don't open" or "our department only".
I never had the heart to tell our boss (big enough company to know better) that their private employee meetings, such as dismissals, was saved on the share under a folder called "private" etc. :/
With 26 logins Snowden is king spook!
Seriously. Are you f**king kidding me? 26 people gave up their log ins without question?
I know Snowden was a contractor and probably most of the people he worked with were also contractors but I find it impossible to believe they did not know who they were working for or the level of discretion was needed.
"A handful of agency employees who gave their login details to Snowden .. said a source close to several U.S. government investigations"
Who told Reuters and can we believe them? What does Snowden have to say regarding leaked passwords, how and why did the 'agency employees' cop to revealing their passwords. Besides, a competent tech admin don't need passwords.
"Reuters reported last month that the NSA failed to install the most up-to-date, anti-leak software at the Hawaii"
What 'anti-leak software' ?
"[A] competent tech admin don't (sic) need passwords."
He needs passwords if he plans to access data which he is not permitted and knows that there is auditing in place that he cannot disable without being noticed. For example. What he needs is login details of people who plausibly could be accessing the data.
He could need login credentials to access systems to which he was not authorized. In that case, he might need credentials for administrative accounts. I seem to recall that shortly after Snowden's resignation, NSA announced a radical reduction in the number of administrators. These may be related.
It may *just* be possible that the employees whose trust Mr. Snowden abused had the honesty to come forward and own up to their error. In the end, though, they probably would have been questioned and with reasonable probability found out.
Yet another of the many things about this whole debacle that beggars belief: that only a *password* was required to gain access to classified information.
Two factor authentication? Biometric usernames? There's plenty new-fangled (...!) authentication methods that would have helped prevent this.
(I realise that may all be nonsense as perhaps they were in place and his access as a systems admin allowed him to bypass them. Maybe.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
