Slashdot Mirror
Snowden Used Social Engineering To Get Classified Documents
cold fjord sends this news from Reuters:
"Edward Snowden used login credentials and passwords provided unwittingly by colleagues ... to access some of the classified material he leaked. ... A handful of agency employees who gave their login details to Snowden were identified, questioned and removed from their assignments. ... Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator. ... People familiar with efforts to assess the damage to U.S. intelligence caused by Snowden's leaks have said assessments are proceeding slowly because Snowden succeeded in obscuring some electronic traces of how he accessed NSA records. ... The revelation that Snowden got access to some of the material he leaked by using colleagues' passwords surfaced as the U.S. Senate Intelligence Committee approved a bill intended in part to tighten security over U.S. intelligence data. One provision of the bill would earmark a classified sum of money ... to help fund efforts by intelligence agencies to install new software designed to spot and track attempts to access or download secret materials without proper authorization.'"
Lifting a little corner of the veil over the monstrous crimes of imperialism! Only a workers revolution will put an end to imperialist barbarism!
UNITE with the Campaign for a Free Internet because today, our future begins with tomorrow!
Anyone working in the security field who gives up their password is an idiot, and should be fired.
...though his revelations of the intelligence gathering practices of the NSA are a gift that just keeps on giving.
Funny that the people he duped to obtain some of the information are being relieved of their jobs (though not their lives, presumably), but the people participating in the overreach won't suffer any consequences.
Not only does the NSA have your data, probably any other organization interested in it is able to obtain it from them.
upon the advice of my lawyer, i have no sig at this time
How is a sum of money classified in a budget? "Hey, out of our $30,000,000 budget for projects A, B, and C, we spent $10,000,000 on A, $5,000,000 on B, and a classified amount on item C."
I read TFA and all I got was this lousy cookie
Isn't the NSA the one damned place where these kinds of things should be part of the training?
Sadly, the only real change that will likely come out of all of this is a doubling of NSA's budget "to make sure this never happens again".
No one is lying.
Honest!
There are no secrets.. They eventually get out.
What I am curious about, is with all this data they are sifting how come there is nobody from Washington in Jail? You know they are
mostly self serving scumbags.
What bothers me more about all this data, and is never mentioned, is that it is possible now for people who have access to all this
big data, to profit from it on the stock market very easily.
....the guy who installs your logging software has a good chance of subverting it.
In other news, there are a lot of stupid employees at the NSA regional operations center in Hawaii.
If the NSA had trained its employees competently, they wouldn't be so naive as to give their login passwords to anyone, even an admin.
Genocide Man -- Life is funny. Death is funnier. Mass murder can be hilarious.
As someone who has been a sysadmin for years, I can say, unequivocally, I never ask people for their passwords. If I need access to your account, I can have it. If I really need to do an end to end test, I can probably do it by swapping out your password hash and then restoring it so I never need your password. If that can't be done, i will change it and then reset it so you have to change it again.
Yet... despite this... from time to time people just.... send me their passwords.
"Account X on machine Y with password Z can't login, can you check it?"
So no shock at all here.
"I opened my eyes, and everything went dark again"
"would earmark a classified sum of money" .... again this classified BS - what do they have to hide? The crap tax-$$'s burnt on all this pipe dream?
This whole pandora box gets never cleaned out. Needs the method how the gordian knot was solved...
Snowden used whatever the CIA told him to use to get the smack down on the NSA. Wake the fuck up. People now a days will see a tree in front of them plain as day, the media will call it a elephant and instantly it's a elephant. What about all the info he gave that the media that the media didn't publish because they were asked not to? Fuck it, skip right over that jem!!!!
If you'd like to know what really happened, post your slashdot username and password in a reply, and I'll let you in on the secret...
there are undisclosed sums in bills out of Congress all the time when it comes to security. the way it works is, there is a backroom deal between the chairman and the agency, and Treasury is told there is authorization for $???,???,???.?? for account XYZ.
committee chairmen are in on a ton of secrets, and go along with a bunch more on the order of "I need this sum (flashes paper quickly and back in the pocket) on authorization of the President for national security purposes." the rest of the committee trusts the chairman on this, and Congress has a little routine in which they all ignore these things. anybody with a problem can ask the chairman WTF this is about, and probably get the answer, "got a problem, can't tell you, they won't tell me, but it's urgent."
not everything is public. just ask your regional VP about what's critical for next July...
if this is supposed to be a new economy, how come they still want my old fashioned money?
Or are these revelations another piece of propaganda?
Its the year 2013 and the NSA is still using Login/Password? I would think the NSA would be using better tech to keep its documents safe and secure instead of having methods of access that could be found by looking over someone shoulder as they type. OH LOOK, I have top level access..... with your username and password. Seems to me the persons that should be taking the "blame" with this is not Snowden but the IT security professionals that claim to management that the data is all secure
Ahh Power is fleeting. It is but a illusion. And secrets are but a dream. Maybe if the NSA spent more time worrying about what they do than about what other people do they wouldn't be in the mess they are. They are so concerned about the toothpick in someone else's eye that they can't see the beam stuck in theirs.
I'm old, not dead. Well that's my 2 cents worth, your mileage may vary. I say what I think, not what you want to hear.
Why shouldn't they trust him? He was polygraphed.
FTA:
"In the classified world, there is a sharp distinction between insiders and outsiders. If you've been cleared and especially if you've been polygraphed, you're an insider and you are presumed to be trustworthy," said Steven Aftergood, a secrecy expert with the Federation of American Scientists.
http://www.reuters.com/article/2013/11/08/net-us-usa-security-snowden-idUSBRE9A703020131108
If people working with Top Secret/Classified information are so easily manipulated, you more or less have to conclude they had very few policies and controls in place.
This super-duper secret surveillance plan clearly wasn't relying on anything other than good manners to secure the information, and likely it was ripe for being abused by just about anybody there. How many of these people are looking up the information on their friends and family just because it's there?
If my admin came to me and said he needed my password, I'd laugh in his face.
Lost at C:>. Found at C.
I'm getting really sick of this shit over and over....
We've finally concluded that Snowden is no hero, by some a traitor, for others a dupe...and we're over it...
The media fucked up reporting this **from day 1**
We knew this in **2006** NSA has massive database of Americans' phone calls
yet there was no public outcry...
then the big one...PATRIOT ACT
full text of the Patriot Act has been reported on and available to anyone with an internet connection or library card since 2001...
I'm sick of Snowden's puppet masters having free reign of the news...we need smarter editors!
Thank you Dave Raggett
And there's some reason to believe that there isn't--then Snowden purposely used social engineering to fool colleagues into giving him their passwords. Do the ends justify the means? He's exposed the NSA's domestic spying, but now the wave's continuing onward and we're getting our normal espionage practices exposed. Are we allowed to ask if doing so does indeed put us more at the mercy of Russia, China, their actors, and Al Qaeda? At what point does this process stop? At what point does the good that was done become overshadowed by the potential harm?
Here's to hot beer, cold women, and Glaswegian kisses for all.
I don't believe this and neither should anyone else. The claim is utterly unsubstantiated.
We were working on DLP (Data Leakage Prevention). IMHO, the whole premise was insane. My conclusion was this: You could spend massive $millions on this DLP system to counter the "insider threat", or you could simply stop being douches and hire good, trustworthy people. Would agencies and corporations ever consider such a thing these days? Of course not. Being a douche is in their DNA, and their cronies are getting the $millions for the DLP.
Well, specifically, people are.
I'm part of the security team for my company, we did a round of cross-app penetration testing, first thing I did was ask people for admin logins via e-mail
Every single team happily sent me logins for both test and production apps
To get the keys to the castle sometimes all you have to do is just ask the king :-/
One provision of the bill would earmark a classified sum of money
Nothing like unaccountable monies in unknown quantity; that'll show'em. The NSA will never make such mistakes again after getting such harsh treatment.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
So they plan to waste millions on a project that will "install new software designed to spot and track attempts to access or download secret materials without proper authorization."? If he gets the credentials from users authorized to access the information how will this work? Swing and miss!
I can safely predict one thing:
If you're a systems type working at any US national security TLA*, your job is going to get a whole lot harder. Maybe your whole life, since you're going to be under massively more suspicion and scrutinly ALL THE TIME. And the tools you need to do your job (not just software tools, but interactions and communications with those you're supporting) will be harder to use, and much more restricted, and viewed with more suspicion.
NSA may just wind up cutting itself off at its technical knees in a rampage of self-inspection and the internal purges I suspect are underway right now.
*TLA: Three-Letter Agency. By odd coincidence, most organs of the U.S. intelligence apparatus seem to name themselves by three-word names, and therefore are colloquially named by three-letter initialisms.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Are those who gave him the passwords going to be charged with treason?
He just read off of the post it note in their cubicle...
Do not look at laser with remaining good eye.
Excerpts from Reuters "article:"
This garbage has the same quality sourcing as the hit-piece published by The New York Times and The New Yorker that spread unsubstantiated rumors claiming that Snowden had given classified documents (i.e., unpublished material) to Chinese and Russian officials.
Thank you, Edward Snowden.
"Arguments from authority are worthless." —Carl Sagan
Most likely, every single one of those users were issued CaC cards (Common Access Cards). It amazes me that any government system still supports username and password authentication - especially intelligence based systems on the SIPRnet. Certificate/pin based authentication could have prevented much of this from happening...
Who says he duped anyone? I do some sysadmin work and I've probably had just as many people over the past year send in support tickets like:
"HEPL!! My computers broke and I can't make it work! The red thingy is blinking! Numbers are due out tomorrow!!! My logins XXXXX and pass is ???? Employee # 123456 Please call me asap! @ 555-5555"
etc... etc... etc...
Next ticket is "You broke it even worse! Now my accounts locked!!!"
to which I reply "Yes, corporate security will be contacting you shortly about that. In the meantime, concerning your original problem I see that you haven't rebooted your computer in over 3 months and you've had a VPN open to your home the entire time. I suggest giving a reboot a try once your done talking to security about our security standards."
Anyone think a professional spy could do what Snowden did?
What percentage of NSA actually work for the FSB?
Think this could be a bigger problem than one individual who takes great care to not endanger NSA agents?
He also slipped this into his summary:
Just his standard issue repetition of corrupt authoritarian talking points.
I love how people are saying that people at the NSA shouldn't reveal there passwords to any one (even one who likely would be presumed to have responsibility/authority) and yet when Terry Childs didn't reveal the password to the San Francisco network to an unauthorized person or in an unauthorized way he should be crucified. This is just hypocritical.
Terry Childs was correct in his posture and stupid in his actions.
These NSA people were just stupid. I wouldn't have expected much more of them though given an apparent lack of training. Somebody somewhere should have alerted a security-person (whom I'd presume Snowden was not, given he was an admin, contractor, etc).
*TLA: Three-Letter Agency. By odd coincidence, most organs of the U.S. intelligence apparatus seem to name themselves by three-word names, and therefore are colloquially named by three-letter initialisms.
Oh, well, good to know. That saves me the trouble of trying to work out Top Level Anagrams.
More offenses to add to the list Snowden has committed.
Good luck ever returning to your "homeland", Eddie.
sNOwden is a monster, not a hero.
Not only is the NSA breaking the law, they also consist of idiots who ought to know better about social engineering and the likes ... Does anybody need more proof that the NSA should be shut down?
What about DISA or EPIC? I'm counting 4...
" One provision of the bill would earmark a classified sum of money ... to help fund efforts by intelligence agencies to install new software designed to spot and track attempts to access or download secret materials without proper authorization.'"
Ok, so they will spy on those who spy on Internet users. But who will spy on them, in turn?
thanks for that...I was in a politics tweeting phase and I tried to get a conversation started about Greenwald's background, b/c I used to work in news (at a low level staffer, but I was at a network and later was web editor for a newspaper)
The way Greenwald operated bothered me...it seemed he didn't care at all about **protecting his source**
That's journalism 101...the USA has well understood laws that can, **if the journalist is willing to go to jail for 2-6 months** protect a source of a news story...see, Congress can subpeona you to testify, the journalist pleas the 5th, then they have the right to jail the journalist for as long as they think it might be coorcive for the journalist to give up their source.
By law it can't be more than a year, and almost always ends around 4 months...
It's rare but it has happened...it sucks for those months, but as a journalist, if you go through that whole process you come out a hero with a guaranteed book deal!
It requires all parties...the leaker, the journalist, newpaper editor, and a good lawyer...and the information leaked has to be highly relevant and...you know...true...
but it can and does happen...Greenwald didn't approach this at all like a professional and no one ever talked about it!
Thank you Dave Raggett
For me this just points out how inflated the US intelligence is. Even the dumb ones are making in the US intelligence.
Is this story true? I have no reason to believe this at all. Admins don't need users passwords. Admins "own" the systems that they work on and can become any user they want to be without passwords.
The NSA lies. If we are to believe anything that comes out of that agency they better have hard evidence verified by the third source if one exists. This is a claim, nothing else.
I am under the impression that sensitive information and higher required authentication via a cac card.
How do you get national security clearance without being taught how to avoid this?
You don't mean that that's a bad thing do you?
If they're getting paid well to spy on themselves, they won't need to keep finding more lame excuses to spy on us. I'd say they've solved the funding problem and the rest of us will be free to go about our business.
Who has been telling the truth since June? Snowden.
I am amazed that so many are taking this sniff-test-doubtful story at face value and debating whether the engineered sysadmins should be fired or shot.
Ain't it funny how these "sources" might layer on a bit of devious sociopathy, to try to make Snowden fit the role of criminal wrecker?
Among the principals (NSA, GHCQ, executive branch, most politicians, Snowden) it is pretty much only Snowden's testimony and participation that hasn't been full to the gills with half-truths, contradictions, lies and attempts at character assassination.
Oh and how devious:
"People familiar with efforts to assess the damage to U.S. intelligence caused by Snowden's leaks have said assessments are proceeding slowly because Snowden succeeded in obscuring some electronic traces of how he accessed NSA records."
Read: "You ought to believe that Snowden did more than totally embarrass us, but he is so devious that you'll ave to take that on faith!"
"Sources said". Blech
NO CLEMENCY FOR FEINSTEIN
I know for a fact that it is far more satisfying to work in the private sector (and not for a gov't contractor either), where I actually produce goods/services that real people actually want of their own free will. Be patriotic, and quit that gov't job today!
That would be "to steal". I dont care if you think he should have or not, he STOLE classified documents and released them to people without the proper clearances, without permission.
---- Booth was a patriot ----
The question regarding whether Edward Snowden is a hero, or not, requires more time for the world to judge.
However one thing is clear - Edward Snowden, and what he has done so far, with his expose of the dirty secrets of the so-called "democratic countries", shows that the guy does believe in the ideal of democracy.
Contrast this to those untold millions of power-craving freaks who have helped NSA/GCHQ (amongst others) putting up massive surveillance systems to spy on their own people in supposedly democratic countries, Edward Snowden shines.
When compared to the enormous spook complex , Edward Snowden stands out like a tiny, lonely beacon.
However tiny that beacon is, what Edward Snowden has accomplished, for the freedom of the world, should not be forgotten.
The submitter of TFA, Mr. Cold Fjord, has been very actively astroturfing Slashdot by launching all kinds of accusations towards Edward Snowden, from all angles.
We must be awared that, had it not because of Edward Snowden, we wouldn't have known so much of the despotic schemes perpetrated by those democratic governments .
In conclusion, even if Edward Snowden is not (yet declared) a hero, I still owe my sincerest thank to him !
Muchas Gracias, Señor Edward Snowden !
Well - the only way you're gonna get 100% security is ... to take the men out of the loop.
And we all know what happened after that.
With all that going on unnoticed from one person it makes you wonder how much a foreign power putting in a concerted effort with several agents could have done.
Could this be a good reason for deploying 2 factor authentication ?
I don't believe in bio-metrics, so it would have to be something you know and something you have, like a USB-key or something like that.
New things are always on the horizon
He was able to irritate England quite a bit.
He managed to irritate England about the bit where GSHC has apparently collaborated with NSA on a voluntary basis.
(As opposed to all the various organisation and corporation who had helped NSA without knowing it, thanks to sabotage and blackmail, etc.
And as opposed to all the massive spying that GSHC has probably done on its own or with knowing collaboration with other countries).
Edward release information he has mostly gathered at the NSA. So it mostly concerns the NSA (and sometime their most active allies).
Just because they more often collaborating, GSHC is bound to occur a bit more frequently than, for example ONYX (Switzerland's own massive foreign surveillance network).
France has openly admitted that they spy on everyone, enemies and so called allies and made no apologies for it. All of the EU countries have actively worked with and exchanged data with the NSA. Spain, Germany, and France have admitted collecting data on their citizens and sharing that information with the NSA. The self righteous Brazilian president has already had to back pedal after announcing that Brazilian intelligence services also collect the exact same type of data on their citizens. She shouldn't hold her breath waiting on another invitation to visit the Whitehouse. China and Russia think this whole matter is silly because unauthorized data collection on their citizens is and always has been SOP for their intelligence services with no apologies.
I think that anybody with half a brain (so most of the /. reader ship) all know that absolutely everyone is spying on absolutely everybody else, going as far the *technically* (and not *legally* or *ethically*) can (technology and budget being the only limits).
Playint both *together with* and *against* the other, both at the same time. The whole field populated with not only double or triple agent, but even probably working for 5 countries simultaneously, at least 3 of which are aware of each other. And ready to switch allegience depending on who is the most profitable today.
But technologically inclined people weren't probably the main target audience for such releases.
This whole mess is not accomplishing anything but raising the level of animosity across the board.
It depends: /. reader, this release hasn't changed much. There isn't much that we haven't known or suspected before. It only helped put actual name and spying program on what up to now was "specific types of attack strategy that the academia has potentially described and against which we should watch". It's not "watchout for un-trusted code and side-channels" anymore, it's "watchout for BULLRUN". It's not "don't confide anything on the cloud, it's not secure" its "NSA is proven to siphon all the online data they can".
- For the technologically inclined, for the typical
- For the politics, only the public-facing has been getting messed (hesitating between ""try to act outraged" and "don't be too much outraged in case you have later to admit that you're doing the same on your side")
- Higher up politics, and various security and information services: I *REALLY* doubt that Snowden hasn't released much that wasn't either known already (as I've often said, FSB/KGB/Tcheka and MSS have been at this game much longer and are probably better experienced) or at least highly suspected. They won't even change their strategies that much. Chance are that, as they were already aware, they already had some minimal form of protection against it. (Russia and China are probably spy as much as the NSA and anybody else on the US population. But I doubt they have the US nor each-other's launch-code for nuclear strike)
Even for criminality, things don't change much: /.). Th
- I specially laugh at the recent defamation that "snowden might have helped child molester with his release" (as seen on
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
or has Slashdot been flooded with NSA sock puppets ever since Snowden blew the whistle?
while the nsa lets the nation's credibility slide
Three common denominators of thousands of embezzlement post-mortems: MOTIVE: Members of Congress mumbling about amending the money spigot and firing your ass. OPPORTUNITY: Obviously opulent since the contracting entity that designed, made and runs your back doors blatantly keeps back doors to your back doors and their owners are now pissed they'll have to groom fresh keyboard monkeys for the ones fired for feeding their fix for news before it is news. RATIONALIZATION: A little back door fixing of SEC, IRS and FDIC databases to omit certain accounts from investigative review, and viola! If it hasn't happened, its completion is nearing as I type. The hardest part will be trying not to hide your Mona Lisa smile when Congress defunds.