Slashdot Mirror
NSA: Others Implicated in Making Snowden Data Leaks Possible
NBC News reports that "A civilian NSA employee recently resigned after being stripped of his security clearance for allowing former agency contractor Edward Snowden to use his personal log-in credentials to access classified information, according to an agency memo obtained by NBC News. In addition, an active duty member of the U.S. military and a contractor have been barred from accessing National Security Agency facilities after they were 'implicated' in actions that may have aided Snowden, the memo states. Their status is now being reviewed by their employers, the memo says." You can read the memo for yourself.
The NSA, the "experts" in computer security, doesn't use hardware access tokens? Everyone knows that passwords can be compromised (and a PKI certificate adds little since an attacker could copy the cert).
Though I guess since the NSA already hacked RSA, they knew they couldn't trust RSA tokens.
We can't let folks think that they could get away with this, of course.
Don't field many gov't contracts, I take it?
It has been obvious to me for a while that Snowden did not act alone, and that he probably represents a surface manifestation of deep divisions within the intelligence community.
I can easily imagine a situation where he calls up someone with access to classified info, and says something like, "this is Snowden from IT; we're having problems restoring the backup of your encrypted data files on such-and-such server; can you loan me your login information so we can properly validate the checksums? You can change your password right afterward."
Why in the world would you let someone use YOUR OWN PERSONAL login credentials? Why not just give him a key that you can lock out after he's done his work. I cannot believe that someone was deliberately this stupid
So Snowden social hacked a couple of people into allowing him to use their login credentials. That isn't exactly big news and while I'm not saying it's a particularly smart thing to do I seriously doubt that these people are the only ones in NSA history to share login credentials. The real news is that now that the US authorities can't get Snowden they are going to do the next best thing which is to hang these people out to dry as accomplices. I believe that's a mistake since don't think that the vindictiveness of the Obama administration and the US security apparatus is going to do them any favours in the long run but at least it is in the very best traditions of American 'come down on them like a ton-of-bricks' justice.
“At Snowden’s request,” the civilian NSA employee, who is not identified by name, entered his password onto Snowden’s computer terminal, the memo states.
“Unbeknownst to the civilian, Mr. Snowden was able to capture the password, allowing him even greater access to classified information,” the memo states.
Snowden lied to the other employee in order to steal classified information.
It's not vindictiveness -- it's procedure. Anyone with a TS-SCI clearance gets the "we'll ruin your life if you screw up" speech when they accept the status. And, given how often you're required to review training on how not to screw up, these people have zero room to complain about any proverbial ton of bricks.
Apart from the fact that I'm glad the leaks happened, it betrays an extraordinary amount of stupidity on the part of those who gave Snowden their credentials and indicates, at least to me, a considerable lack of training.
The company I run has some government contracts dealing with a considerable amount of very personal and detailed information of unemployed and disabled persons. I can tell you right now that we regularly drum into everyone's heads the level of confidentiality we require, that under no circumstances are you to give someone your IDs and passwords, or let them use your workstation while you're logged in. Every access to client information is logged, and information is strictly limited to what is needed by each employee to do their job.
The world's burning. Moped Jesus spotted on I50. Details at 11.
If I had to guess, They wanted him to do what he did.At least I would like to believe anyway that he wasnt the only one sick of unconstitutional acts
have you seen my sig? there are many others like it but none that are the same
This is the type of government organization that hires groups like RATFOR as security consultants. Who knows what they used for security procedures? Password list in /?
Everything I've ever learned the hard way was based on a statistically invalid sample.
What he accomplished, worth much more in so many levels, that social engineering, lies or even keylogger, means nothing.
When access to resources is a difficult or lengthy process, and deadlines for products using those resources don't take that into consideration, then it is easier to hand over your credentials.
If the processes for gaining access were streamlines and efficient, then this wouldn't occur. Since it probably is not streamlines and efficient, this is what you get.
I guarantee you Snowden really did no "social hacking" at all.
If you have EVER been someone who solves people's computer problems (sysadmin, DT support, phone support, etc.) you know that LOTS of people will just flat out tell you their passwords when they contact you. They'll put their passwords on post-its, in e-mails, even in the trouble ticket itself. Or they'll just tell you on the phone or in person. No matter how you try to tell them "I don't want or need that information" they still do it. Upper management and C-levels are the worst about doing this, and their accounts can usually access anything in the organization.
Hell, I don't even do support any more, but people still leave me notes or tell me their passwords if they want me to help them with something IT won't do.
....umbrella, as we used to say.
This reminds me of some famous quote that the military is always prepared to win...past battles....
This just in!
Officials are investigating the Washington Metropolitan Area Transit Authority, which is alleged to have aided Snowden in getting to and from secure facilities!
finding low level scapegoats
> Others Implicated in Making Snowden Data Leaks Possible
Since Snowden mentioned Clapper's lying to Congress got him to release the documents, I'd start by implicating Clapper.
From there it's hard not to implicate the Presidents who didn't honor their pledge to uphold the Constitution. Congress. Decision-makers within the NSA.
Without all of them, there would be nothing for Snowden to release.
I used to work for an ISP and *many* customers would call back after we cut off access because we couldn't talk to them would say "But I gave you my login and password already, you asked me by email because you found an incoherence"
(their account were used to send junk mail via the webmail service).
Since people are giving away credentals by *email*, not surprising they would give them out in person.
I've got better things to do tonight than die.
He used a Key Logger and Data Scraper, nothing complicated. Just goes to show the NSA has no clue regarding secure systems!
I can tell you right now that we regularly drum into everyone's heads the level of confidentiality we require, that under no circumstances are you to give someone your IDs and passwords, or let them use your workstation while you're logged in. Every access to client information is logged, and information is strictly limited to what is needed by each employee to do their job.
You should contract work for the NSA. Apparently, they need someone with your expertise.
And I can tell you right now that unless you're a tiny operation, people are doing it anyways.
The company I work for the IT folks keep a complete list of usernames and passwords in a text file, stored on a machine open to the Internet (including FTP!) which is, itself, is "protected" by those same passwords.
Oh, but it's OK, they told me once: It's in a password-protected zip file, so it's safe.
I'm sure that the unencrypted plaintext is scattered all over the temp directory of every machine they've ever used to view this file.
I'm (very) glad I don't get paid to care about that network anymore.
Kid-proof tablet..
Yeah, these people are effed in the butt. Obama can't hang snowmen so he,ll go after this lot instead.
I certainly hope that NSA contractors are a little better than your run-of-the-mill company in terms of security.
Yes it is. The people looking up their girlfriends info and obviously violating FISA warrants don't get fired. The ones sending information to the FBI with "don't tell anybody we are doing this and make sure to claim your "investigation" started with some other evidence don't get fired.
Sleep your way to a whiter smile...date a dentist!
Just a tip, if a cute person leaves you a sticky note saying, "meetMeAfterWork!"...that might NOT be their password"
I certainly hope that NSA contractors are a little better than your run-of-the-mill company in terms of security.
Hate to break it to you....
The cesspool just got a check and balance.
No, it isn't. If Snowden wanted to make a point, he would have only released information pertinent to the Fourth Amendment. Instead, he did a data dump that pretty much showed the extent to which the NSA spies on foreigners, which is their fucking job.
If the enabled the latter half of the above sentence, then they're quite burnable.
then why the fuck hasn't the people in the NSA who have been targeting American's [namely " The people looking up their girlfriends info" and "obviously violating FISA warrants" and "the ones sending information to the FBI with "don't tell anybody we are doing this and make sure to claim your "investigation" started with some other evidence", which CLEARLY violates the law don't face similar punishments?
Or is it just a pick and choose method of law enforcement.
And don't get me started on the whole "it's an emergency, no need to follow procedure anymore".
Sleep your way to a whiter smile...date a dentist!
There's not much expertise in saying "You will be fired... and worse." We make it very clear that violation of both government privacy rules and company policies could very well invite legal proceedings.
The world's burning. Moped Jesus spotted on I50. Details at 11.
All we know for sure is that there's a witch involved in here somewhere, and she will be hunted down and burned!
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
The government has failed to uphold it's most basic responsibility of upholding the constitution, what makes you all think they are effective in handling computer security? It is in fact ineffective in a lot more ways than that.
The failing startup I was stuck at for a few years eventually hired some expensive ex-NSA security company to spy on us. I won't go into the reasons why, but it was purely political, and an empty gesture to satisfy some of our more vocal/deluded shareholders. You can imagine what it does to morale to have someone being paid at least twice your salary to monitor you, but I digress.
The point is, they went around one day, asked us each for our password(s), and then wrote them down on a legal pad. When it was my turn, they were impressed because I had the only password in the entire company that wasn't trivially crackable and, to prove it, showed me the legal pad with everyone's passwords on it.
I really hope that they were trying to set me up into using someone else's login (which of course I wouldn't), and that they weren't actually that stupid. I respect malice over incompetence, but I suspect that in reality they were just that incompetent.
Posting anonymously out of paranoia. I don't think the company even exists anymore, but whatever.
I worked in Gov't IT for 8 years. Employees were constantly drilled about protecting sensitive information.
Same kind of thing happened all the time. Passwords on post-its, in e-mail, etc. People are still people even if they work for the government.
which CLEARLY violates the law don't face similar punishments?
Because it isn't CLEAR that any laws were broken. People around here like to point to some advisory board report that said the activities were probably illegal, but that 5-person board was split 3-2 so you can't say that CLEARLY the activities were illegal. It is CLEAR to you because that is what you believe it to be, but (fortunately) the US legal system isn't beholden to what you specifically believe.
Not at the TS level. You'd get your balls busted if you gave out your password or put it up on a sticky note. They take that shit VERY seriously. Not only were these guys not supposed to let them use their credentials, which is a HUGE no-no to begin with, but by training they should have filed a security incident report if Snowden asked them if he could use their login. They most certainly get busted for this. They are the reason that people with clearances have to complete so many annual security refreshers.
Sure, but whoever does it will have to deal with the consequences and no excuse will save them.
which CLEARLY violates the law don't face similar punishments?
Because it isn't CLEAR that any laws were broken. People around here like to point to some advisory board report that said the activities were probably illegal, but that 5-person board was split 3-2 so you can't say that CLEARLY the activities were illegal. It is CLEAR to you because that is what you believe it to be, but (fortunately) the US legal system isn't beholden to what you specifically believe.
Ah, sorry, but the fourth Amendment is pretty fucking CLEAR. Argue all you want about FISA panels and other such bullshit we've legalized in the last decade to completely fucking derail that Right, but it is VERY fucking CLEAR what laws have been broken and by whom here if you're willing to dilute the issue down to the very basics where it belongs. It's this bullshit dissection of these kinds of violations that allows you and everyone else to not see the fucking elephant in the room CLEAR as day. An "investigation" is opened, and results are published about 6 months after the last person stopped giving a shit about any of it. And then the illegal activity continues, just as it will here.
Knowing where the violations are, and having the power to do fuck-all about it, are worlds apart. This is why we all know they're breaking laws, and yet not a fucking thing has changed to stop it. If any concept is CLEAR here, that one is.
unless every single LOVEINT target was not a US citizen, the law was broken [as the NSA isn't permitted by law to spy on US citizens]
and a FISA judge [he should know] said the NSA violated his warrant for YEARS.
How more illegal do you need to get?
Sleep your way to a whiter smile...date a dentist!
The accomplices were the perps who violated our Constitution. Without them, Snowden would have had nothing to expose.
This is hilarious. You think there's some company that doesn't say you're fucked if you give out your information? It's just legal boilerplate. That doesn't mean it's enforceable.
The fact that they're restricting access that was easily and openly given out before is just a slow attempt to cover up the barn door which has been left open. It's pretty funny, to be quite honest.
The lloveint cases where new hires and got found out pretty much immediately - presumably the usual suspects will be publishing how many Googlers , yahoo apple and phone company employees have accessed things they should have not.(looking up the presidents private phone number medical records etc)
Best practice is to have phone company employees with with wide access to the systems access pass TS (DV in the UK) clearance.
This is what is called speculation, and would be thrown out in court. Snowden claimed long ago he didn't, these people are claiming he did. I trust Snowden a bit more than I trust most of the shitheads we currently have in Government, and could easily find character witnesses who are unbiased to support Snowden.
Keep being distracted by all the hand waives though.
For what it's worth, IANAL either. I am not fooled by the distractions they keep playing against people.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Well, it probably is enforceable in most cases, but that doesn't mean it doesn't happen all the time anyway. If people actually followed corporate policies there would be very little successful social engineering.
My workplace has a sign up that it is against policy to bring a cell phone camera onto the site. Probably every employee from the CEO to the janitor violates this policy.
Which is the same as the case here with the NSA
When a new employee comes on board and needs their access set up, who does that? When someone needs their access expanded, who handles that? How do you control their access?
From what I understand, that was the problem with Snowden and the credentials he had/obtained access to: they had essentially superuser access over the system. In any system, you need people at the top who can manage it. If those people decide to betray trust, you're SOL.
-- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
No, actually, it isn't clear. The Fourth Amendment forbids unreasonable search and seizure. What's "reasonable"? People are supposed to be secure in their persons, houses, papers, and effects. Does this protect records of who you've phoned or emailed? The Supreme Court has ruled that similar things are legitimate observation. If an agency collects copies of your papers, without your knowledge, and takes steps to make sure they will not be accessed unreasonably, are you now insecure in your papers?
Don't just answer these questions; explain why your answers are clearly correct. The NSA has largely been operating according to the law as it sees it (LOVEINT and similar employee abuses don't count here, since they're private illegalities, same with individuals lying to Congress). I don't necessarily agree with their interpretations, and I do think several laws should be changed, but I don't see NSA actions that are obviously illegal.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
You heard it here first.
Futurist Traditionalism