back to article Snowden: Hey fellow NSA worker, mind if I copy your PASSWORD?

Edward Snowden persuaded his NSA colleagues to hand over passwords which he later used to download top secret material and leak it to the press. According to a report on Reuters, the whistleblower cribbed login details from up to 25 co-workers, who have now all been questioned and moved on to different jobs. It is not known …

COMMENTS

This topic is closed for new posts.
  1. Halfmad
    Facepalm

    Only got themselves to blame..

    I'm struggling to feel any sympathy to his co-workers, but is anyone really surprised that even in the NSA people don't quite get the importance of credentials being private?

    1. Roo

      Re: Only got themselves to blame..

      "I'm struggling to feel any sympathy to his co-workers, but is anyone really surprised that even in the NSA people don't quite get the importance of credentials being private?"

      The officials who provide oversight over this whole mass surveillance shebang really need to be investigated themselves. Snowden did all this stuff on their watch, and it has shown that their oversight of these operations has been opaque, inadequate and ineffective.

      If they had any sense of duty to the nation they would be working hard to fix the lack of oversight that led to Snowden gaining access to this stuff just by asking people for their credentials, instead of wasting valuable time vilifying Snowden.

      I do wonder if any of those cretins have actually considered the possibility that if Snowden could get this info so easily in such a short period of time, then perhaps the angry blow shit up type terrorists already took that same information (and more) several times over.

      1. Anonymous Coward
        Anonymous Coward

        @ Roo. You mean Obama don't you.

        This is the same thing with the IRS. Blatant violations of laws and protocols designed to prevent people in Government from abusing their authority and less than nothing done.

        People transferred to a different position. Probably a better one.

        A.C. for obvious reasons. Yeah I know they can't probably get my name but at least they have to work at it a little.

        1. emmanuel goldstein

          Re: @ Roo. You mean Obama don't you.

          you're really not getting it. let me break it down for you: THERE IS NO ANONYMOUS

        2. Roo

          Re: @ Roo. You mean Obama don't you.

          "The officials who provide oversight over this whole mass surveillance shebang really need to be investigated themselves."

          No, I don't mean Obama, I'm not really sure how you came to that conclusion... Like or not this stuff didn't start on his watch... I was referring to the various committees, judges etc that are meant to establish the rules and laws which the spooks operate under, monitor their behaviour and enforce sanctions should they fail to comply with the rules/laws.

      2. Lapun Mankimasta

        Re: Only got themselves to blame..

        Oh it's guaranteed that the NSA and whatnot have been penetrated many, many times. The difference between those occasions and Snowden's, is Snowden was honest and told the world what a cock-up the NSA was, ditto the GCHQ, whereas the ones before him would've sold the info on to interested parties.

    2. Goldmember

      Re: Only got themselves to blame..

      No surprise at all. Although I do feel some sympathy for the workers who have been reprimanded and maybe even fired for this. As someone who has had the need in the past to work on people's workstations while they were logged in as themselves, it comes as no surprise whatsoever the ease of which people will hand over their passwords.

      Ok, I've never worked for the NSA and I don't know what kind of general computer security training they gave their people before Snowden (I'd put money in it being a hell of a lot better now!). But I have worked at small private companies, large multinationals and even public sector. In each scenario, a great deal of trust is placed on sysadmins, as they have to deal with users of varying technical abilities, and have access to highly sensitive information. In every job I've had, the user mindset has been "oh, he works in IT, he's trained in data security. He has more access to my system than I do and can access all sorts of data, so there's no problem handing over my password." Even when I've not asked for it (I try not to, and if the need does arise, I tell them to reset as soon as I've finished).

      It might not be right, but it's the way it is in many office environments.

      1. Richard Jones 1

        Re: Only got themselves to blame..

        I have known it be worse that that but NOT in a security situation. In one location the passwords were handed out on the basis of the seniority of the holder and the severity of the impact of the possible actions. Thus the most senior staff member had the passwords that could do all the nasty stuff, e.g. format everything, shut everything down, etc. whereas the staff who knew what they were doing had the password rights that allowed them to turn on the pretty lights. Consequently everyone used the pass word of the most senior staff member! I kid you not.

        *Actual commands, details of the rank of people and the location have been obfuscated.

    3. Anonymous Coward
      Anonymous Coward

      You've got to wonder

      You've got to wonder how many of the people holding security credentials stole material from the NSA and sold it to China instead of going to the papers like Snowden.

      I'm guessing that for every one Snowden running to the press, there's possibly 100 or 1,000 inside guys selling our private data to foreign governments or to cyber-crime gangs.

      1. Adam 1 Silver badge

        Re: You've got to wonder

        > ou've got to wonder how many of the people holding security credentials stole material from the NSA and sold it to China instead of going to the papers like Snowden.

        Or even find some other intelligence agency or organised crime group discovers that they were looking at something naughty online and uses that to blackmail them to handover something pretty harmless, and then use the proof that they handed this over to demand something more significant.

      2. Anonymous Coward
        Facepalm

        Re: You've got to wonder

        Looks like I spoke too soon.

        From this evening's New York Times: "Bribery Case Implicates 2 Admirals: Two United States admirals, including the Navy's CHIEF INTELLIGENCE OFFICER, were stripped of their access to classified information on Friday after being implicated in a contracting scandal that federal prosecutors are investigating in San Diego."

        Spooks and other people's money. Like flies and dog crap.

      3. Dr Dan Holdsworth Silver badge

        Re: You've got to wonder

        You do have to wonder why the NSA, with a multi-billion dollar budget and access to some of the best minds in the business, are not using two-factor logins of some description. Snowden would have fallen at the first hurdle were a random number fob or a fingerprint (or both) needed to get into machines; certainly an override system would have had to have been present also, but such an override would be very heavily audited indeed.

        Perhaps there will be some openings in the NSA for people who know about basic security...?

    4. Anonymous Coward
      Anonymous Coward

      Re: Only got themselves to blame..

      Work is no longer what it used to be!

      In the "good olde days", as long as you stayed loyal and toed the company line, your pay grade would click up one notch every four years, you were taken care off and you would get a gold watch & a pension after 25!

      Today, we are not people, we are "ressources". We know that the HR-vultures always have a beady eye out for cheaper labour than can be abused harder, businesses are contracting and hiring through 3-rd party agents to avoid any costs associated with employing- and disposing of said "ressources", there is generally no training and no career offered (or possible because of reorganisation every 3 years) - and yet - businesses and three-letter agencies assume loyalty from their disposable assets?!

      The smart young things especially knows "what the gig" is: "Dump on Them before they dump unto Thee", "Grab the cash, Build a Stash", "Be liquid and rent, everything you "own" will be used to blackmail you" e.t.c.

      Well, our leaders wanted a highly competitive society and now they are about to get it.

    5. Charles Manning

      Re: Only got themselves to blame..

      "Only got themselves to blame" takes a very simplistic view of how things work. Even in the most paranoid of institutions, people need to be able to have some trust or they would not get things done.

      When I was in the army, I worked some time in IT. The generals kept forgetting their passwords, so we ended up assigning the generals passwords which were printed out and kept on a list for everyone to reference. For a while, we made it easy for ourselves by assigning them all the same password.

      Now as it turns out, pretty much nobody doing IT was vetted at all (I certainly wasn't and would have failed miserably - being associated with various "known" people - including a guy who was in jail for espoinage). And I had all the generals' passwords.

      You can guarantee the same happens in ALL government organisations, spooks or not. It probably happens in most banks too.

  2. codejunky Silver badge

    Well

    You need to be able to rely on the man next to you. It is the basis of being honourable and trustworthy.

    Funnily the actions of the NSA are opposite to this and yet seem surprised when one of their rank (who appears to have morals) doesnt hold up those values.

    1. disgruntled yank Silver badge

      Re: Well

      I rely on my co-workers to be honorable and trustworthy. I do not give them my passwords.

      And I wouldn't hire anyone in a technical position who believed that the sysadmin needed other peoples' passwords. I wouldn't hire somebody to clear paper jams who believed that.

      1. Zacherynuk

        Re: Well

        I truly wish I could live in your utopian world.

      2. Adam 1 Silver badge

        Re: Well

        Why not?

        Sounds like the perfect candidate to clear paper jams.

  3. Pen-y-gors Silver badge

    "If you've been polygraphed"?

    Wouldn't security screening be more reliable if they just got them to drink a cup of tea and got an expert to read the tea leaves? Or read the bumps on their head?

    1. Anonymous Coward
      Anonymous Coward

      Re: "If you've been polygraphed"?

      Yes, I saw that one too. So much for polygraphing - or maybe they forgot that vital question:

      "Are you planning to leak all our secrets?"

      Duh. For an outfit absorbing a bazillion dollars per annum in budget they sure have shit internal segregation. Whoever was responsible for internal security should get the rubber hose treatment - if I had this security even at a bank I'd expect to be escorted out of the building on the next audit.

  4. Paul Johnston
    WTF?

    And this is security?

    especially if you've been polygraphed, you're an insider and you are presumed to be trustworthy

    1. Frumious Bandersnatch Silver badge

      Re: And this is security?

      Wonder Woman's lasso of truth (or whatever it's called--actually that was a lucky guess) is more believable. Bizarrely enough, the same guy who invented that also contributed to the invention of the polygraph.

      1. Paul Hovnanian Silver badge

        Re: And this is security?

        "Wonder Woman's lasso of truth"

        That has some foundation in reality. In her prime (and that cute outfit), I would have told Lynda Carter anything.

  5. Anonymous Coward
    Anonymous Coward

    trust us

    Even though they're surveilling everything, we're told that all this data they're slurping up is all held safe, they know how to protect it and vet the people who have access to it so we can trust they won't abuse this capability etc. etc. - our private business will remain private.

    And they continue with this nonsense even when it's now perfectly clear they could not even protect their own top secret secrets from a low level third party contractor who it appears had access to virtually everything they were doing.

    1. tom dial Silver badge

      Re: trust us

      NSA security lapses notwithstanding, it is not clear (yet) that Snowden took anything but the metadata - the slides and documents that describe the data being collected and its processing. From the NSA perspective that's undoubtedly quite awful, maybe worse than the collected data. For those about whom data was collected that could be good news, if you trust that he didn't have access to it, or chose not to bother.

      Mention of borrowed passwords, though, suggests he took pains to gain access to systems that contained the collected data, so I would guess some of that went with him as well.

    2. Lapun Mankimasta

      Re: trust us

      "Trust me, I know what I'm doing." Also spracht Sledge Hammer.

      Believe you me, the NSA has been putting backdoors in security products as fast as it can, under the impression that only it can use them. At the same time it's been piling up all this lovely metadata.

      Google got rich on metadata. Now when some "interested party" pwns NSA, they'll have the keys to the economy of the US, the UK, the Rest of Europe - sorry, Yorp - and the Rest of the World. In a better world, the NSA would be tarred and feathered and ridden on a rail out of town.

  6. hplasm Silver badge
    WTF?

    NSA- anexample of:-

    North American Insecurity or Unsecurity?

  7. linicks

    I don't find this hard to believe

    When I was sysadmin a few years ago, usual helpdesk calls was 'I've forgotten my password' can you tell me what it is. Nobody believed me when I stated I didn't know what their password was, but I could reset it for them to create a new one.

    So being sysadmin in a large corporation, I guess many people *think* the sysadmin knows the passwords, and an obscure remark on passing like "Oh, BTW, I need to fix your mail box, what is your password again?" will work.

    1. midcapwarrior

      Re: I don't find this hard to believe

      As part of the yearly cleared security update you have to take an online security refresher course. It now includes a test question part where an admin asks for your password.

      1. linicks

        Re: I don't find this hard to believe

        OK, suppose the pass mark is 90% ~ and the user gets that one wrong but still gets 91%?

        If so, then getting that question wrong should mean 0% - failure to pass.

        Is that how it works?

        1. This post has been deleted by its author

    2. James Micallef Silver badge

      Re: I don't find this hard to believe

      "being sysadmin in a large corporation, I guess many people *think* the sysadmin knows the passwords..."

      Agree 100%.

      But the NSA isn't just any large corporation, security is their one and only job. And screening notwithstanding, they should be working on the assumption that at least some of their staff are Chinese, Russian etc spies who got through one or more layer of security. That's why you have multiple layers / levels of security and Chinese walls.

      How hard is it to make sure that all new hires / contractors know not to give their password to anyone?

      NSA double-fail, they're not only illegally slurping data, they can't even protect it

      1. Captain DaFt

        Re: I don't find this hard to believe

        "But the NSA isn't just any large corporation, security is their one and only job."

        Uh... no. 'Security' is in the name, but in true Orwellian doublespeak, their main purpose is to *break* others security, and obtain all the data they can.

      2. Paul Hovnanian Silver badge

        Re: I don't find this hard to believe

        Compartmentalization. Having worked on the periphery of Dept of Defense projects, I've seen quite a bit of this at private contractors. "I have a top secret clearance. So let me see your blueprints." Nope. You have clearance for your project. I have clearance for mine. There are very few people in the DoD chain of command that are authorized to see everything. Never mind the private contractors.

        In fact, (and contrary to what I've heard in a few pubs down the road from the plant after work) you're not even supposed to run around telling the public what sort of clearance you've got. Impress the cocktail waitress with some other story.

    3. chivo243 Silver badge
      Pint

      Re: I don't find this hard to believe

      Not in the least!

      I just had a user hand over their password yesterday, with out asking! The user asked our team to look into why they didn't receive the messages people said they sent! I told the user we can't see that, we have no access to their mailbox, and the pw was in the updated helldesk ticket with in 2 minutes.

      Truly amazes me....

      A pint as it's already beer:30

      1. Uncle Slacky Silver badge
        Thumb Up

        Re: I don't find this hard to believe

        Sign them up to a goat fetish mailing list...

  8. i like crisps
    Big Brother

    A Trojan in a Trojan factory...

    ...Whats sauce for the Goose.....

  9. Khaptain Silver badge

    Golden Rule

    All new employees in my office are given the same boring speech.

    It doesn't matter who asks, never ever give your password to someone else, not me, not your immediate boss and definately do a "friend". Yes I have the means to change your password but no I do not have the means of knowing your current password ( Except when I look over your shoulder and follow your fingers - corporate policy makes this a little difficult though - 9 chars min, 3 different types). If you give your password to someone else then you accept all reponsability for any and all of the resulting consequences.

    Giving your password to someone else is like putting your finger on the trigger of a loaded gun.

    1. Lars Silver badge
      Happy

      Re: Golden Rule

      Very familiar, but what one has to try to do is to make those co-workers and bosses, who stand behind the person who has to enter a password, to voluntarily turn their head. I have seen people in a higher position getting pissed of when asked to look the other way for a second. Some funny memories regarding passwords was a girl at a customer who's password I had to ask for, several other persons present. She got very upset, disturbed and blushing. I finally asked her to write it down and give it to me. What a happy face and a password I can still remember.

      1. Gordon 10 Silver badge

        Re: Golden Rule

        Spill the beans what was it?

        1. Anonymous Coward
          Anonymous Coward

          Re: Golden Rule

          I can honestly say that I have never been asked for a password nor have I ever asked anyone for theirs. I have been asked to log into a system and let the technician do something while I watched, or more likely to log in and then demonstrate an issue. I was usually asked to change my password once the job was done - a point was always made to turn away when passwords were entered.

          This was not in a 'security activity' as such, but anyone asking to borrow a password would be refused. Anyone requesting a password that carried any operational impacts, would have been invited to join the foreign office and start travelling.

          I find it unbelievable that an organisation using the TLA of NSA understood so little and had staff who clearly knew so little about what their job involved,

          For one job the 'ever-so-casual-chat' warned about far less blatant risks along the lines of 'never do favours for or accept favours from strangers'. Even selling an account of a holiday or, e,g, nature observations on perhaps a nesting bird to a hobby magazine could be a threat to continued or even any future employment.

        2. This post has been deleted by its author

      2. Khaptain Silver badge

        Re: Golden Rule

        @Lars

        >Very familiar, but what one has to try to do is to make those co-workers and bosses, who stand behind the person who has to enter a password, to voluntarily turn their head.

        Normally I would make the situation into something funny. If I am at my desk or someone elses for that matter and I need to enter an admin account/password I will ask anyone watching if they are an "undercover agent" trying to get a hold of my password by watching my fingers, always in a light hearted tone. I can't think of many/any occasions where they didn't realise what they were doing and immediately look away.

      3. Anonymous Coward
        Anonymous Coward

        Re: Golden Rule / Lars.

        I always turn away when someone's entering a password/pin, since as administrator, I can copy their /etc/shadow entry, change their password, do anything, and then restore the original entry...after killing auditd.

      4. Paul Hovnanian Silver badge
        Paris Hilton

        Re: Golden Rule

        "I have seen people in a higher position getting pissed of when asked to look the other way for a second."

        Poor use of social engineering. You turn around, look past them and exclaim, "Look at the t*ts on that secretary!"

    2. Lars Silver badge
      Happy

      Re: Golden Rule

      PS. Kaptain, my advice for password, long ones, is to have a "story" easy to remember, like "mypussycatwentupthethree", "ilikestormyweatheratsea" and such.

      1. tom dial Silver badge

        Re: Golden Rule

        DoD password rules for administrator rules, as I recall from a few years ago:

        Minimum length 13

        Two or more upper case letters

        Two or more lower case letters

        Two or more numerals

        Two or more punctuation characters

        Changed no less often than every 60 days

        Different from all of the last 10 passwords

        Different from all passwords used in the last year

        Put your story to that.

        1. sam bo

          Re: Golden Rule

          "Put your story to that."

          No story necessary - I think a sheet of a4 with all the rules and a list of the last 10 passwords stuck to the side of the monitor would be helpful, or not much work would be done .

  10. Lars Silver badge
    Happy

    The boss of GCHQ

    As British, did not have to add communists and socialists to his smoke screen.

    1. I. Aproveofitspendingonspecificprojects

      Re: The boss of GCHQ

      Bernard Law Mongomery was a commited socialist as was nearly everyone under him and the other 2/3rds of HM armed forces were the same. It didn't last of course but Russia was paranoid about its publicity and had a seriously determined attitude about catching spies.

      Even that fat drunk Churchill played into Stalin's hands time and again. Not with little things like all our used air-craft but really big stuff like Eastern Europe. What he wasn't giving to Russia he was letting the USA roll over. The idiot was a far bigger menace than any of the moles Russia had here from Klaus Fuchs on.

      I don't doubt for a moment it only got more and more sordid. The absolute antithisis of every James Bond film.

  11. C Montgomery Burns

    Think the NSA should consider adding standardized IQ test to the polygraphs and background checks.

    1. cyrus

      Re:

      I prefer my NSA agents stupid and naive.

    2. Anonymous Coward
      Anonymous Coward

      IQ test don't test how smart someone is or isn't, it a common myth.

    3. Lapun Mankimasta

      They already hire all the morons, so it wouldn't change a thing.

  12. Andy The Hat Silver badge

    "The boss of GCHQ claimed to Parliament's Intelligence and Security Committee that Snowden's revelations had directly helped Al Qaeda"

    Ok ... and 10 years ago we didn't know GCHQ were slurping data? We didn't know that the only way to protect data was to heavily encrypt? We didn't know that the US and GB were sharing anything they wanted, whenever they wanted? All Snowden has done is confirmed the bleedin' obvious - which is why bin-Laden didn't directly use electronic communication!

    Snowden hasn't helped the US or GB by simply confirmed that "they've got their digital fingers in the till", that is why the politicians are not happy. If he'd have been al-Snowdenov and released al-queda (whatever that is) secrets he'd have been a hero ...

    1. Frumious Bandersnatch Silver badge

      "they've got their digital fingers in the till"

      Whaddya mean, "digital" fingers? Fingers are digits, you numpty :)

    2. Ken Hagan Gold badge

      "The boss of GCHQ claimed to Parliament's Intelligence and Security Committee that Snowden's revelations had directly helped Al Qaeda"

      He *claimed* that, but his actual observation is simply that they aren't talking as much as they used to. Perhaps this is because the ones who were just larking about have realised they are being eavesdropped and the only ones still talking are the ones stupid/dedicated enough not to care. If so, the disclosure has hindered Al Qaeda by blowing away some of their cover. We just can't tell. Come back in a couple of years with some stats about actual criminal acts rather than speculation based on volume of gossip.

      1. Roo

        "He *claimed* that, but his actual observation is simply that they aren't talking as much as they used to."

        Remember, for that kind of role you need absolutely zero education or competence at stuff like gathering evidence, assessing it and drawing conclusions from it. In fact the folks who pay no attention to inconvenient stuff like facts and reality tend to do better at gaining those positions because they are able to tell people what they want to hear.

        Ray McGovern has written about this lack of care and attention to reality on the part of intelligence officials and their overseers over in Leftpondia for several years now. The same seems to apply in Rightpondia as well judging by the rubbish we see the state owned media (aka BBC) parroting at the moment,

    3. Lapun Mankimasta

      "What'll you have?" asked the waiter

      idly picking his nose.

      "A boiled egg, you louse.

      You can't stick your fingers in those!"

      Ah, the Aussies come up with some brilliantly satirical verse, don't they?

    4. Adrian 4 Silver badge

      "The boss of GCHQ claimed to Parliament's Intelligence and Security Committee that Snowden's revelations had directly helped Al Qaeda"

      "Well, he would say that, wouldn't he ?"

  13. Anonymous Coward
    Anonymous Coward

    'Agencies are having a hard time grappling with insider threat'...

    ....'the idea that the guy in the next cubicle may not be reliable'.......Maybe they need to spy on each other more often? Sounds like the 'ultimate solution' doesn't it? They'd be kept busy with less time to spy on ordinary Joe, politicians, foreign diplomats, foreign corporations, OWS protestors....

  14. RTNavy
    Childcatcher

    What a maroon!

    How many maroons does it take to run the NSA?

    1. Anonymous Coward
      Anonymous Coward

      Re: What a maroon!

      Two. A blue one and a red one.

      1. Anonymous Coward
        Anonymous Coward

        Re: What a maroon!

        There's a difference?

        1. Sir Runcible Spoon Silver badge

          Re: What a maroon!

          Silly me, I thought you said Macaroon and thought you were nuts

  15. adifferentbob

    You couldn't make this up!

    Nobody is coming out of this with any credibility. Not the NSA who have their greasy fingers in everyone's privates, not the co-workers who were completely stupid to hand over their credentials, and finally Edward Snowden who it seems would quite happily fuck over his colleagues. I did had a lot of respect for the stand he'd taken, but that is gone now. You have to wonder what his colleagues had done to him to warrant that kind of treatment.

    1. hj

      Re: You couldn't make this up!

      Guess, if you want to show the world what's going within the NSA, people want proof. Since he was only a third party contractor employee, he needs this info from his "co-workers". Can't really see why that is "fucking over your colleagues". Lets not forget those colleagues are/were the ones doing the actual spying on everybody. And I really can't have any warm feelings for those f*ckers.

      1. Rukario
        Black Helicopters

        Re: You couldn't make this up!

        > his "co-workers"... the ones doing the actual spying on everybody.

        You mean "cow-orkers". And we're all the cows that are getting orked pretty hard.

    2. Anonymous Coward
      Anonymous Coward

      Re: You couldn't make this up!

      Don't forget he said he took that job specifically with the goal of leaking information. So basically he was a spy. On the other hand, he also said one reason he came forward as soon as he did was that he didn't want his colleagues to get the blame for what he did.

    3. I. Aproveofitspendingonspecificprojects

      Re: You couldn't make this up!

      "You have to wonder what his colleagues had done to him to warrant that kind of treatment."

      Beside give him the keys to the kingdom, you mean?

      How much can you decide to give when you decide to give all you can, your life included?

      I'm reminded of the John Cleese/Ronnie Barker sketch from the Frost Report or TWTWTW:

      Barker in pyjamas: "Come on, admit it. You're a burglar arn't you."

      Cleese in striped vest and lone ranger mask after a long pause while he examines the options: "A bit."

  16. Anonymous Coward
    Anonymous Coward

    to be honest, i'm finding it hard to work out who the goodies and baddies are in this whole clusterf*ck.

    1. Anonymous Coward
      Anonymous Coward

      You simply assumed that there were /any/ goodies, didn't you.

  17. Anonymous Coward
    Anonymous Coward

    Corporate data security - Joke.

    I just heard from Adobe that they got hacked and lost all my data, the wankers. A while back it was Sony who got hacked an lost all my data, the wankers. Then TJX got hacked and lost all my wife's data. All "large corporations", I believe.

    How do you expect ordinary users to understand and respect password security when their bloody employers can't even keep Boris the hacker from rummaging through their digital drawers with gay abandon? It's not that they TRUST the admin - its that they've all been reamed by some other corporation already, the NSA is buggin their phone and interweb and they know that password-based security is a facade.

    I had an abrupt exit interview from a vendor of SANs. It was attended by 2 storage industry veterans, HR, and an IT guy. reclaiming my desktop and laptop. They were sorry that they could not let me take home my 2TB USB drive unless they deleted all the contents. Nothing on it that I needed so I agreed. They connected it to a Win laptop and pressed delete.

    Then handed me the drive containing all the data on 2 unreleased products, totally recoverable with a simple undelete program. Mind blowingly inept.

    1. Ken Hagan Gold badge

      Re: Corporate data security - Joke.

      "Then handed me the drive containing all the data on 2 unreleased products, totally recoverable with a simple undelete program. Mind blowingly inept."

      Blimey!

      I think I'd have been tempted to point this out to them, just to see the look on their faces.

  18. Anonymous Coward
    Anonymous Coward

    But I don't need their passwords...

    ...as a sysadmin, I could ask someone for their password. Alternatively, I could provision a smartcard with their certificate on, and use that to log on to the systems as them. I can do just as much as if I had their password. And they don't know I've done it.

    The question is: how far can you trust me? Am I simply doing my job, seeing some things that perhaps I shouldn't have seen and keeping my mouth shut (both of which happen frequently)? Or am I a security nightmare?

    Sure - Snowden probably didn't have the credentials I had, and thus, the point is moot. But, at some point, a sysadmin (of sorts) has to have access to someone's e-mail/files/etc. And if the sysadmin is rogue...

    1. tom dial Silver badge

      Re: But I don't need their passwords...

      "Alternatively, I could provision a smartcard with their certificate on ..."

      I am not sure that is possible in a USDoD agency for a lone administrator to do this. In the agency that employed me Common Access Cards are issued only in the security office, and programmable by equipment located there and online with a remote database that probably is used to verify the identity of both the issuing agent and the applicant; the processing would cancel the existing card and provision the new one with a new certificate. I believe the equipment used is physically inaccessible from the agency LAN. It is conceivable, however, that the old certificate revocation could be delayed for a short period, during which the authorized user would not be aware of the compromise. I am pretty sure that there was a hard line between those who could administer system and those who could issue CACs.

      It seems doubtful that an SA would be able to generate a certificate, with the proper signatures, and install it properly to the network.

      1. Anonymous Coward
        Anonymous Coward

        Re: But I don't need their passwords...

        So, if he had said "create a pair of account w/ smartcards", would that satisfy you?

      2. midcapwarrior

        Re: But I don't need their passwords...

        It can't be delayed. The wait you have before you add your print to the card is when the previous card revocation is complete. Yes it is a separate network.

  19. Anonymous Coward
    Anonymous Coward

    Is it just me...

    ... of does this revelation change the dynamic of the story somewhat?

    We no longer have the case of a sysadm who had the authority to see secret material based on the privileges he needed to do his job, and then 'liberated' that material.

    We now have an individual who purposefully set out to gain access he was not entitled to. That adds 'breaking and entering' to the previous 'theft'.

    1. hj

      Re: Is it just me...

      Does it really matter?! Do you really think the guy would have had any credibility without the info he got hold of?

    2. I. Aproveofitspendingonspecificprojects

      Re: Is it just me...

      "We now have an individual who purposefully set out to gain access he was not entitled to. That adds 'breaking and entering' to the previous 'theft'."

      Only his name was George Bush and he was too damned stupid to get involved personally. And anyway it wasn't theft. They willingly told him everything he wanted to hear when he didn't really torture them.

      1. Sir Runcible Spoon Silver badge

        Re: Is it just me...

        1. If I tell someone I'm authorised to enter their house and they give me the key to get in - that isn't breaking and entering.

        2. Theft is where you deprive the owner of something. He's perhaps stolen the jam out of their fucking doughnut, but he didn't steal the data - he made an un-authorised copy.

        Perhaps they will accuse of copyright infringment next, although there are about 6 billion people who would make a counter claim I expect.

  20. Anonymous Coward
    Anonymous Coward

    Disposable Resources

    They arbitraged and lost. The zero loyalty disposable resource with access to long term security related data stood on its hind legs and asked: "what have you done for me today"?

    Usually the question is silent and the so is the payment from the PLA or FSB or DGSE or ... You hear about Snowden because he did not sell out to the highest bidder but showed a streak of youthful idealism, ripping away the curtain and showing the greasy short fat naked bureaucrat warming his buns by the can with the burning Constitution, while spying on everyone and everything.

  21. roly

    We're all safe as long as we're not facing the KGB...

    That's is the thing that scares me the most. Even if the NSA and GCHQ think they are doing this for your benefit who's to say that they are secure? The KGB were very successful at getting information from CIA agents and that was when we all thought it would be nuclear war without our spooks. The point is that checking staff when they come in is not enough. They need to be constantly supervised. What's to say that an NSA operative could not have his family kidnapped or had compromising photos taken off or something? It's really lucky that the ex-KGB staff don't work for the Russian Mafia or anything is it! Oh wait...

  22. J J Carter Silver badge
    FAIL

    Passwords? At the NSA, I expected four factor authentication as a minimum!

  23. Stevie Silver badge

    Bah!

    Well, damn.

    8o/

  24. Stevie Silver badge

    Bah!

    "The boss of GCHQ claimed to Parliament's Intelligence and Security Committee that Snowden's revelations had directly helped Al Qaeda."

    Dollars to dimes the proof of that is in a dossier that can be waved in the air but never, *never* examined as to the contents.

  25. Anonymous Coward
    Anonymous Coward

    A quesiton

    The story of borrowed passwords seems a bit at odds with the leakage of documents. The documents appear mostly or entirely MS Office documents, describing the data and operations, that would have come from the Windows/LAN environment normally accessible only with the help of a smartcard / PIN combination (administrators might have a passworded network login, but normally would use a smartcard like unprivileged users).

    Username/password logins would more likely be used for non-Windows servers, which likely would be the ones storing operational data. Yet we have not seen such data released, so it is unclear whether the password borrowing allegations are in the class of unsubstantiated rumor or possibly a diversion.

    A great deal more has been released than would have been necessary for Mr. Snowden to make his claimed point. If password violations are involved it is implausible that Mr. Snowden would not have dipped into the real data if he could, and one wonders when and to whom his handlers released (or will release) the operational data and method details.

    1. midcapwarrior

      Re: A quesiton

      Obviously you have not had access. They are file shares and until recently the "high side" was username password. You had to have a smartcard and pin to get into the secure room but no card for the PC. That has changed this year.

      1. TechnicalBen Silver badge

        Re: A quesiton

        Your also assuming the management don't put all the documents under the share/public drive but in a folder called "mine, don't open" or "our department only".

        I never had the heart to tell our boss (big enough company to know better) that their private employee meetings, such as dismissals, was saved on the share under a folder called "private" etc. :/

  26. Camilla Smythe

    Oh Shit!!!

    What Sir?

    AQ has got hold of all our stuff.

    Damn!!

    Implement plan S.

    Plan S Sir?

    Do please read the manual.

    Shuffle Shuffle Shuffle.

    Ah, cunning.

  27. John Smith 19 Gold badge
    WTF?

    If NSA's mission is to snoop on everyone then the man who collects most wins. IOW

    With 26 logins Snowden is king spook!

    Seriously. Are you f**king kidding me? 26 people gave up their log ins without question?

    I know Snowden was a contractor and probably most of the people he worked with were also contractors but I find it impossible to believe they did not know who they were working for or the level of discretion was needed.

  28. codeusirae
    Facepalm

    Polygraphs are pseudo scientific nonsence ..

    "if you've been polygraphed, you're an insider and you are presumed to be trustworthy,"

    Has anyone ever done a double-blind test, how many false positives, how many false negatives ..

    1. I. Aproveofitspendingonspecificprojects

      Re: Polygraphs are pseudo scientific nonsence ..

      They gave him the keys to kingdom after they stuck a wire in his arse. He ate all the shit that they gave him and passed out the top of the class.

  29. codeusirae
    Facepalm

    Retrospective Reuters arse-covering ..

    "A handful of agency employees who gave their login details to Snowden .. said a source close to several U.S. government investigations"

    Who told Reuters and can we believe them? What does Snowden have to say regarding leaked passwords, how and why did the 'agency employees' cop to revealing their passwords. Besides, a competent tech admin don't need passwords.

    "Reuters reported last month that the NSA failed to install the most up-to-date, anti-leak software at the Hawaii"

    What 'anti-leak software' ?

    1. tom dial Silver badge

      Re: Retrospective Reuters arse-covering ..

      "[A] competent tech admin don't (sic) need passwords."

      He needs passwords if he plans to access data which he is not permitted and knows that there is auditing in place that he cannot disable without being noticed. For example. What he needs is login details of people who plausibly could be accessing the data.

      He could need login credentials to access systems to which he was not authorized. In that case, he might need credentials for administrative accounts. I seem to recall that shortly after Snowden's resignation, NSA announced a radical reduction in the number of administrators. These may be related.

      It may *just* be possible that the employees whose trust Mr. Snowden abused had the honesty to come forward and own up to their error. In the end, though, they probably would have been questioned and with reasonable probability found out.

    2. Lapun Mankimasta

      Re: Retrospective Reuters arse-covering ..

      What 'anti-leak software' ?

      A catheter. Incontinent underwear.

  30. Martin Huizing

    This post has been deleted by the NSA

  31. AlexH

    Just passwords? The 1980's called...

    Yet another of the many things about this whole debacle that beggars belief: that only a *password* was required to gain access to classified information.

    Two factor authentication? Biometric usernames? There's plenty new-fangled (...!) authentication methods that would have helped prevent this.

    (I realise that may all be nonsense as perhaps they were in place and his access as a systems admin allowed him to bypass them. Maybe.)

  32. I. Aproveofitspendingonspecificprojects

    Well, here I am at the end of the replies. I could read a lot more, it's been a blast. I only wish I could go back to the Burgess and McClean era and enjoy all that but things were very different then.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019