Only got themselves to blame..
I'm struggling to feel any sympathy to his co-workers, but is anyone really surprised that even in the NSA people don't quite get the importance of credentials being private?
Edward Snowden persuaded his NSA colleagues to hand over passwords which he later used to download top secret material and leak it to the press. According to a report on Reuters, the whistleblower cribbed login details from up to 25 co-workers, who have now all been questioned and moved on to different jobs. It is not known …
"I'm struggling to feel any sympathy to his co-workers, but is anyone really surprised that even in the NSA people don't quite get the importance of credentials being private?"
The officials who provide oversight over this whole mass surveillance shebang really need to be investigated themselves. Snowden did all this stuff on their watch, and it has shown that their oversight of these operations has been opaque, inadequate and ineffective.
If they had any sense of duty to the nation they would be working hard to fix the lack of oversight that led to Snowden gaining access to this stuff just by asking people for their credentials, instead of wasting valuable time vilifying Snowden.
I do wonder if any of those cretins have actually considered the possibility that if Snowden could get this info so easily in such a short period of time, then perhaps the angry blow shit up type terrorists already took that same information (and more) several times over.
This is the same thing with the IRS. Blatant violations of laws and protocols designed to prevent people in Government from abusing their authority and less than nothing done.
People transferred to a different position. Probably a better one.
A.C. for obvious reasons. Yeah I know they can't probably get my name but at least they have to work at it a little.
"The officials who provide oversight over this whole mass surveillance shebang really need to be investigated themselves."
No, I don't mean Obama, I'm not really sure how you came to that conclusion... Like or not this stuff didn't start on his watch... I was referring to the various committees, judges etc that are meant to establish the rules and laws which the spooks operate under, monitor their behaviour and enforce sanctions should they fail to comply with the rules/laws.
Oh it's guaranteed that the NSA and whatnot have been penetrated many, many times. The difference between those occasions and Snowden's, is Snowden was honest and told the world what a cock-up the NSA was, ditto the GCHQ, whereas the ones before him would've sold the info on to interested parties.
No surprise at all. Although I do feel some sympathy for the workers who have been reprimanded and maybe even fired for this. As someone who has had the need in the past to work on people's workstations while they were logged in as themselves, it comes as no surprise whatsoever the ease of which people will hand over their passwords.
Ok, I've never worked for the NSA and I don't know what kind of general computer security training they gave their people before Snowden (I'd put money in it being a hell of a lot better now!). But I have worked at small private companies, large multinationals and even public sector. In each scenario, a great deal of trust is placed on sysadmins, as they have to deal with users of varying technical abilities, and have access to highly sensitive information. In every job I've had, the user mindset has been "oh, he works in IT, he's trained in data security. He has more access to my system than I do and can access all sorts of data, so there's no problem handing over my password." Even when I've not asked for it (I try not to, and if the need does arise, I tell them to reset as soon as I've finished).
It might not be right, but it's the way it is in many office environments.
I have known it be worse that that but NOT in a security situation. In one location the passwords were handed out on the basis of the seniority of the holder and the severity of the impact of the possible actions. Thus the most senior staff member had the passwords that could do all the nasty stuff, e.g. format everything, shut everything down, etc. whereas the staff who knew what they were doing had the password rights that allowed them to turn on the pretty lights. Consequently everyone used the pass word of the most senior staff member! I kid you not.
*Actual commands, details of the rank of people and the location have been obfuscated.
You've got to wonder how many of the people holding security credentials stole material from the NSA and sold it to China instead of going to the papers like Snowden.
I'm guessing that for every one Snowden running to the press, there's possibly 100 or 1,000 inside guys selling our private data to foreign governments or to cyber-crime gangs.
> ou've got to wonder how many of the people holding security credentials stole material from the NSA and sold it to China instead of going to the papers like Snowden.
Or even find some other intelligence agency or organised crime group discovers that they were looking at something naughty online and uses that to blackmail them to handover something pretty harmless, and then use the proof that they handed this over to demand something more significant.
Looks like I spoke too soon.
From this evening's New York Times: "Bribery Case Implicates 2 Admirals: Two United States admirals, including the Navy's CHIEF INTELLIGENCE OFFICER, were stripped of their access to classified information on Friday after being implicated in a contracting scandal that federal prosecutors are investigating in San Diego."
Spooks and other people's money. Like flies and dog crap.
You do have to wonder why the NSA, with a multi-billion dollar budget and access to some of the best minds in the business, are not using two-factor logins of some description. Snowden would have fallen at the first hurdle were a random number fob or a fingerprint (or both) needed to get into machines; certainly an override system would have had to have been present also, but such an override would be very heavily audited indeed.
Perhaps there will be some openings in the NSA for people who know about basic security...?
Work is no longer what it used to be!
In the "good olde days", as long as you stayed loyal and toed the company line, your pay grade would click up one notch every four years, you were taken care off and you would get a gold watch & a pension after 25!
Today, we are not people, we are "ressources". We know that the HR-vultures always have a beady eye out for cheaper labour than can be abused harder, businesses are contracting and hiring through 3-rd party agents to avoid any costs associated with employing- and disposing of said "ressources", there is generally no training and no career offered (or possible because of reorganisation every 3 years) - and yet - businesses and three-letter agencies assume loyalty from their disposable assets?!
The smart young things especially knows "what the gig" is: "Dump on Them before they dump unto Thee", "Grab the cash, Build a Stash", "Be liquid and rent, everything you "own" will be used to blackmail you" e.t.c.
Well, our leaders wanted a highly competitive society and now they are about to get it.
"Only got themselves to blame" takes a very simplistic view of how things work. Even in the most paranoid of institutions, people need to be able to have some trust or they would not get things done.
When I was in the army, I worked some time in IT. The generals kept forgetting their passwords, so we ended up assigning the generals passwords which were printed out and kept on a list for everyone to reference. For a while, we made it easy for ourselves by assigning them all the same password.
Now as it turns out, pretty much nobody doing IT was vetted at all (I certainly wasn't and would have failed miserably - being associated with various "known" people - including a guy who was in jail for espoinage). And I had all the generals' passwords.
You can guarantee the same happens in ALL government organisations, spooks or not. It probably happens in most banks too.
Yes, I saw that one too. So much for polygraphing - or maybe they forgot that vital question:
"Are you planning to leak all our secrets?"
Duh. For an outfit absorbing a bazillion dollars per annum in budget they sure have shit internal segregation. Whoever was responsible for internal security should get the rubber hose treatment - if I had this security even at a bank I'd expect to be escorted out of the building on the next audit.
Even though they're surveilling everything, we're told that all this data they're slurping up is all held safe, they know how to protect it and vet the people who have access to it so we can trust they won't abuse this capability etc. etc. - our private business will remain private.
And they continue with this nonsense even when it's now perfectly clear they could not even protect their own top secret secrets from a low level third party contractor who it appears had access to virtually everything they were doing.
NSA security lapses notwithstanding, it is not clear (yet) that Snowden took anything but the metadata - the slides and documents that describe the data being collected and its processing. From the NSA perspective that's undoubtedly quite awful, maybe worse than the collected data. For those about whom data was collected that could be good news, if you trust that he didn't have access to it, or chose not to bother.
Mention of borrowed passwords, though, suggests he took pains to gain access to systems that contained the collected data, so I would guess some of that went with him as well.
"Trust me, I know what I'm doing." Also spracht Sledge Hammer.
Believe you me, the NSA has been putting backdoors in security products as fast as it can, under the impression that only it can use them. At the same time it's been piling up all this lovely metadata.
Google got rich on metadata. Now when some "interested party" pwns NSA, they'll have the keys to the economy of the US, the UK, the Rest of Europe - sorry, Yorp - and the Rest of the World. In a better world, the NSA would be tarred and feathered and ridden on a rail out of town.
When I was sysadmin a few years ago, usual helpdesk calls was 'I've forgotten my password' can you tell me what it is. Nobody believed me when I stated I didn't know what their password was, but I could reset it for them to create a new one.
So being sysadmin in a large corporation, I guess many people *think* the sysadmin knows the passwords, and an obscure remark on passing like "Oh, BTW, I need to fix your mail box, what is your password again?" will work.
"being sysadmin in a large corporation, I guess many people *think* the sysadmin knows the passwords..."
But the NSA isn't just any large corporation, security is their one and only job. And screening notwithstanding, they should be working on the assumption that at least some of their staff are Chinese, Russian etc spies who got through one or more layer of security. That's why you have multiple layers / levels of security and Chinese walls.
How hard is it to make sure that all new hires / contractors know not to give their password to anyone?
NSA double-fail, they're not only illegally slurping data, they can't even protect it
Compartmentalization. Having worked on the periphery of Dept of Defense projects, I've seen quite a bit of this at private contractors. "I have a top secret clearance. So let me see your blueprints." Nope. You have clearance for your project. I have clearance for mine. There are very few people in the DoD chain of command that are authorized to see everything. Never mind the private contractors.
In fact, (and contrary to what I've heard in a few pubs down the road from the plant after work) you're not even supposed to run around telling the public what sort of clearance you've got. Impress the cocktail waitress with some other story.
Not in the least!
I just had a user hand over their password yesterday, with out asking! The user asked our team to look into why they didn't receive the messages people said they sent! I told the user we can't see that, we have no access to their mailbox, and the pw was in the updated helldesk ticket with in 2 minutes.
Truly amazes me....
A pint as it's already beer:30
All new employees in my office are given the same boring speech.
It doesn't matter who asks, never ever give your password to someone else, not me, not your immediate boss and definately do a "friend". Yes I have the means to change your password but no I do not have the means of knowing your current password ( Except when I look over your shoulder and follow your fingers - corporate policy makes this a little difficult though - 9 chars min, 3 different types). If you give your password to someone else then you accept all reponsability for any and all of the resulting consequences.
Giving your password to someone else is like putting your finger on the trigger of a loaded gun.
Very familiar, but what one has to try to do is to make those co-workers and bosses, who stand behind the person who has to enter a password, to voluntarily turn their head. I have seen people in a higher position getting pissed of when asked to look the other way for a second. Some funny memories regarding passwords was a girl at a customer who's password I had to ask for, several other persons present. She got very upset, disturbed and blushing. I finally asked her to write it down and give it to me. What a happy face and a password I can still remember.
I can honestly say that I have never been asked for a password nor have I ever asked anyone for theirs. I have been asked to log into a system and let the technician do something while I watched, or more likely to log in and then demonstrate an issue. I was usually asked to change my password once the job was done - a point was always made to turn away when passwords were entered.
This was not in a 'security activity' as such, but anyone asking to borrow a password would be refused. Anyone requesting a password that carried any operational impacts, would have been invited to join the foreign office and start travelling.
I find it unbelievable that an organisation using the TLA of NSA understood so little and had staff who clearly knew so little about what their job involved,
For one job the 'ever-so-casual-chat' warned about far less blatant risks along the lines of 'never do favours for or accept favours from strangers'. Even selling an account of a holiday or, e,g, nature observations on perhaps a nesting bird to a hobby magazine could be a threat to continued or even any future employment.
>Very familiar, but what one has to try to do is to make those co-workers and bosses, who stand behind the person who has to enter a password, to voluntarily turn their head.
Normally I would make the situation into something funny. If I am at my desk or someone elses for that matter and I need to enter an admin account/password I will ask anyone watching if they are an "undercover agent" trying to get a hold of my password by watching my fingers, always in a light hearted tone. I can't think of many/any occasions where they didn't realise what they were doing and immediately look away.
DoD password rules for administrator rules, as I recall from a few years ago:
Minimum length 13
Two or more upper case letters
Two or more lower case letters
Two or more numerals
Two or more punctuation characters
Changed no less often than every 60 days
Different from all of the last 10 passwords
Different from all passwords used in the last year
Put your story to that.
Bernard Law Mongomery was a commited socialist as was nearly everyone under him and the other 2/3rds of HM armed forces were the same. It didn't last of course but Russia was paranoid about its publicity and had a seriously determined attitude about catching spies.
Even that fat drunk Churchill played into Stalin's hands time and again. Not with little things like all our used air-craft but really big stuff like Eastern Europe. What he wasn't giving to Russia he was letting the USA roll over. The idiot was a far bigger menace than any of the moles Russia had here from Klaus Fuchs on.
I don't doubt for a moment it only got more and more sordid. The absolute antithisis of every James Bond film.
"The boss of GCHQ claimed to Parliament's Intelligence and Security Committee that Snowden's revelations had directly helped Al Qaeda"
Ok ... and 10 years ago we didn't know GCHQ were slurping data? We didn't know that the only way to protect data was to heavily encrypt? We didn't know that the US and GB were sharing anything they wanted, whenever they wanted? All Snowden has done is confirmed the bleedin' obvious - which is why bin-Laden didn't directly use electronic communication!
Snowden hasn't helped the US or GB by simply confirmed that "they've got their digital fingers in the till", that is why the politicians are not happy. If he'd have been al-Snowdenov and released al-queda (whatever that is) secrets he'd have been a hero ...
"The boss of GCHQ claimed to Parliament's Intelligence and Security Committee that Snowden's revelations had directly helped Al Qaeda"
He *claimed* that, but his actual observation is simply that they aren't talking as much as they used to. Perhaps this is because the ones who were just larking about have realised they are being eavesdropped and the only ones still talking are the ones stupid/dedicated enough not to care. If so, the disclosure has hindered Al Qaeda by blowing away some of their cover. We just can't tell. Come back in a couple of years with some stats about actual criminal acts rather than speculation based on volume of gossip.
"He *claimed* that, but his actual observation is simply that they aren't talking as much as they used to."
Remember, for that kind of role you need absolutely zero education or competence at stuff like gathering evidence, assessing it and drawing conclusions from it. In fact the folks who pay no attention to inconvenient stuff like facts and reality tend to do better at gaining those positions because they are able to tell people what they want to hear.
Ray McGovern has written about this lack of care and attention to reality on the part of intelligence officials and their overseers over in Leftpondia for several years now. The same seems to apply in Rightpondia as well judging by the rubbish we see the state owned media (aka BBC) parroting at the moment,
....'the idea that the guy in the next cubicle may not be reliable'.......Maybe they need to spy on each other more often? Sounds like the 'ultimate solution' doesn't it? They'd be kept busy with less time to spy on ordinary Joe, politicians, foreign diplomats, foreign corporations, OWS protestors....
Nobody is coming out of this with any credibility. Not the NSA who have their greasy fingers in everyone's privates, not the co-workers who were completely stupid to hand over their credentials, and finally Edward Snowden who it seems would quite happily fuck over his colleagues. I did had a lot of respect for the stand he'd taken, but that is gone now. You have to wonder what his colleagues had done to him to warrant that kind of treatment.
Guess, if you want to show the world what's going within the NSA, people want proof. Since he was only a third party contractor employee, he needs this info from his "co-workers". Can't really see why that is "fucking over your colleagues". Lets not forget those colleagues are/were the ones doing the actual spying on everybody. And I really can't have any warm feelings for those f*ckers.
Don't forget he said he took that job specifically with the goal of leaking information. So basically he was a spy. On the other hand, he also said one reason he came forward as soon as he did was that he didn't want his colleagues to get the blame for what he did.
"You have to wonder what his colleagues had done to him to warrant that kind of treatment."
Beside give him the keys to the kingdom, you mean?
How much can you decide to give when you decide to give all you can, your life included?
I'm reminded of the John Cleese/Ronnie Barker sketch from the Frost Report or TWTWTW:
Barker in pyjamas: "Come on, admit it. You're a burglar arn't you."
Cleese in striped vest and lone ranger mask after a long pause while he examines the options: "A bit."
I just heard from Adobe that they got hacked and lost all my data, the wankers. A while back it was Sony who got hacked an lost all my data, the wankers. Then TJX got hacked and lost all my wife's data. All "large corporations", I believe.
How do you expect ordinary users to understand and respect password security when their bloody employers can't even keep Boris the hacker from rummaging through their digital drawers with gay abandon? It's not that they TRUST the admin - its that they've all been reamed by some other corporation already, the NSA is buggin their phone and interweb and they know that password-based security is a facade.
I had an abrupt exit interview from a vendor of SANs. It was attended by 2 storage industry veterans, HR, and an IT guy. reclaiming my desktop and laptop. They were sorry that they could not let me take home my 2TB USB drive unless they deleted all the contents. Nothing on it that I needed so I agreed. They connected it to a Win laptop and pressed delete.
Then handed me the drive containing all the data on 2 unreleased products, totally recoverable with a simple undelete program. Mind blowingly inept.
...as a sysadmin, I could ask someone for their password. Alternatively, I could provision a smartcard with their certificate on, and use that to log on to the systems as them. I can do just as much as if I had their password. And they don't know I've done it.
The question is: how far can you trust me? Am I simply doing my job, seeing some things that perhaps I shouldn't have seen and keeping my mouth shut (both of which happen frequently)? Or am I a security nightmare?
Sure - Snowden probably didn't have the credentials I had, and thus, the point is moot. But, at some point, a sysadmin (of sorts) has to have access to someone's e-mail/files/etc. And if the sysadmin is rogue...
"Alternatively, I could provision a smartcard with their certificate on ..."
I am not sure that is possible in a USDoD agency for a lone administrator to do this. In the agency that employed me Common Access Cards are issued only in the security office, and programmable by equipment located there and online with a remote database that probably is used to verify the identity of both the issuing agent and the applicant; the processing would cancel the existing card and provision the new one with a new certificate. I believe the equipment used is physically inaccessible from the agency LAN. It is conceivable, however, that the old certificate revocation could be delayed for a short period, during which the authorized user would not be aware of the compromise. I am pretty sure that there was a hard line between those who could administer system and those who could issue CACs.
It seems doubtful that an SA would be able to generate a certificate, with the proper signatures, and install it properly to the network.
... of does this revelation change the dynamic of the story somewhat?
We no longer have the case of a sysadm who had the authority to see secret material based on the privileges he needed to do his job, and then 'liberated' that material.
We now have an individual who purposefully set out to gain access he was not entitled to. That adds 'breaking and entering' to the previous 'theft'.
"We now have an individual who purposefully set out to gain access he was not entitled to. That adds 'breaking and entering' to the previous 'theft'."
Only his name was George Bush and he was too damned stupid to get involved personally. And anyway it wasn't theft. They willingly told him everything he wanted to hear when he didn't really torture them.
1. If I tell someone I'm authorised to enter their house and they give me the key to get in - that isn't breaking and entering.
2. Theft is where you deprive the owner of something. He's perhaps stolen the jam out of their fucking doughnut, but he didn't steal the data - he made an un-authorised copy.
Perhaps they will accuse of copyright infringment next, although there are about 6 billion people who would make a counter claim I expect.
They arbitraged and lost. The zero loyalty disposable resource with access to long term security related data stood on its hind legs and asked: "what have you done for me today"?
Usually the question is silent and the so is the payment from the PLA or FSB or DGSE or ... You hear about Snowden because he did not sell out to the highest bidder but showed a streak of youthful idealism, ripping away the curtain and showing the greasy short fat naked bureaucrat warming his buns by the can with the burning Constitution, while spying on everyone and everything.
That's is the thing that scares me the most. Even if the NSA and GCHQ think they are doing this for your benefit who's to say that they are secure? The KGB were very successful at getting information from CIA agents and that was when we all thought it would be nuclear war without our spooks. The point is that checking staff when they come in is not enough. They need to be constantly supervised. What's to say that an NSA operative could not have his family kidnapped or had compromising photos taken off or something? It's really lucky that the ex-KGB staff don't work for the Russian Mafia or anything is it! Oh wait...
The story of borrowed passwords seems a bit at odds with the leakage of documents. The documents appear mostly or entirely MS Office documents, describing the data and operations, that would have come from the Windows/LAN environment normally accessible only with the help of a smartcard / PIN combination (administrators might have a passworded network login, but normally would use a smartcard like unprivileged users).
Username/password logins would more likely be used for non-Windows servers, which likely would be the ones storing operational data. Yet we have not seen such data released, so it is unclear whether the password borrowing allegations are in the class of unsubstantiated rumor or possibly a diversion.
A great deal more has been released than would have been necessary for Mr. Snowden to make his claimed point. If password violations are involved it is implausible that Mr. Snowden would not have dipped into the real data if he could, and one wonders when and to whom his handlers released (or will release) the operational data and method details.
Your also assuming the management don't put all the documents under the share/public drive but in a folder called "mine, don't open" or "our department only".
I never had the heart to tell our boss (big enough company to know better) that their private employee meetings, such as dismissals, was saved on the share under a folder called "private" etc. :/
With 26 logins Snowden is king spook!
Seriously. Are you f**king kidding me? 26 people gave up their log ins without question?
I know Snowden was a contractor and probably most of the people he worked with were also contractors but I find it impossible to believe they did not know who they were working for or the level of discretion was needed.
"A handful of agency employees who gave their login details to Snowden .. said a source close to several U.S. government investigations"
Who told Reuters and can we believe them? What does Snowden have to say regarding leaked passwords, how and why did the 'agency employees' cop to revealing their passwords. Besides, a competent tech admin don't need passwords.
"Reuters reported last month that the NSA failed to install the most up-to-date, anti-leak software at the Hawaii"
What 'anti-leak software' ?
"[A] competent tech admin don't (sic) need passwords."
He needs passwords if he plans to access data which he is not permitted and knows that there is auditing in place that he cannot disable without being noticed. For example. What he needs is login details of people who plausibly could be accessing the data.
He could need login credentials to access systems to which he was not authorized. In that case, he might need credentials for administrative accounts. I seem to recall that shortly after Snowden's resignation, NSA announced a radical reduction in the number of administrators. These may be related.
It may *just* be possible that the employees whose trust Mr. Snowden abused had the honesty to come forward and own up to their error. In the end, though, they probably would have been questioned and with reasonable probability found out.
Yet another of the many things about this whole debacle that beggars belief: that only a *password* was required to gain access to classified information.
Two factor authentication? Biometric usernames? There's plenty new-fangled (...!) authentication methods that would have helped prevent this.
(I realise that may all be nonsense as perhaps they were in place and his access as a systems admin allowed him to bypass them. Maybe.)
Biting the hand that feeds IT © 1998–2019