Slashdot Mirror
Schneier: China and Russia Almost Definitely Have the Snowden Docs
cold fjord writes: Writing at Wired, Bruce Schneier states that he believes that China and Russia actually do have the Snowden documents, but that the path by which they got them may be different than what has been reported: "... The vulnerability is not Snowden; it's everyone who has access to the files. I've handled some of the Snowden documents myself, and even though I'm a paranoid cryptographer, I know how difficult it is to maintain perfect security. It's been open season on the computers of the journalists Snowden shared documents with since this story broke in July 2013. And while they have been taking extraordinary pains to secure those computers, it's almost certainly not enough to keep out the world's intelligence services. .... Which brings me to the second potential source of these documents to foreign intelligence agencies: the US and UK governments themselves. I believe that both China and Russia had access to all the files that Snowden took well before Snowden took them because they've penetrated the NSA networks where those files reside."
I saw Almost Definitely open for Conditional Probability and Nearly Pregnant on AmbiguityPalooza'MMmmm. . . .
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
I believe that both China and Russia had access to all the files that Snowden took well before Snowden took them because they've penetrated the NSA networks where those files reside.I believe that both China and Russia had access to all the files that Snowden took well before Snowden took them because they've penetrated the NSA networks where those files reside.
Uh, yeah. This was obvious from the beginning. If it was that easy for Snowden to grab all of those files without anyone noticing anything until it was too late, how many other bazillions of employees, contractors, sysadmins, etc etc etc etc also had similar access.
The Chinese & Russians (and others--Brits, Israelis, what have you) are actively trying to subvert all these thousands of folks.
It's really not rocket science, or even computer science. More, do you have the right contact. With so many potential contacts it becomes almost inevitable.
And that's without even getting into technical break-ins--which also seem very, very possible given the lax security that the Snowden affair demonstrates. If Snowden can get unauthorized access to all those files, then it's possible for others to do so as well.
Years ago there was story about Russian intelligence services using typewriters and putting sensitive data on paper documents to avoid digital security breeches.
Very clever, these Russians.
@Anonymous Coward: "keep them locked up and off the fucking internet."
Are you a security professional?
Give up on the conspiracy bullshit. He is just trying to excuse what Snowden did. Snowden had physical access to the network and still had to social engineer passwords.
It's a bit naive to think that professional foreign intelligence spies don't have the same access a low level NSA contractor does. There are clearly no safeguards against copying anything you want and walking away with it. That's not conjecture; we have direct evidence how easy it is. The only difference is actual spies know enough to keep their mouths shut about how ineffectual and incompetent US security is.
I believe that both China and Russia had access to all the files that Snowden took well before Snowden took them because they’ve penetrated the NSA networks where those files reside. After all, the NSA has been a prime target for decades.
This is why I find allegations that Snowden was working for the Russians or the Chinese simply laughable. What makes you think those countries waited for Snowden? And why do you think someone working for the Russians or the Chinese would go public with their haul?
Like, which Snowden and journalists working with him, said trillion times, he kept nothing, everything were handled to journalists, before he went to Russia, but the MSM "accidentally" forget this.
Every time, when something from his documents is debunked, exposed by *journalists*, each time, I see the "innocent" title like "Snowden releases X", "Snowden claims Y", etc...
And, each time, comments like "when Putin get all infos from this traitor, he is doom" get soil to grow!
Here is the key point Schneier's post makes:
To headline this story without including some reference to China and Russia having penetrated NSA networks is to imply Schneier is saying Snowden provided China and Russia with information they did not have already. It is either sloppy or intentionally misleading. The headline could have been "Schneier: Chinese and Russian Spies Probably Had Snowden Docs Before Snowden."
"I believe that both China and Russia had access to all the files that Snowden took well before Snowden took them because they've penetrated the NSA networks where those files reside."
If Russia and China had the files before Snowden took them then they are in no meaningful way "Snowden files". They are merely a set of documents that may, or may not, overlap a portion of Snowden's files. By repeating your opinion that Russia and China have them (apparently without having to decrypt them, if they received them separately from Snowden) you are bolstering the narrative that Snowden has done damage to the government and the people of the US rather than exposing the damage done by the government of the US to the people of the US and the world.
Well done, sir.
Except that's still not enough. If you ever need to copy anything to or from the computer you'd be likely to use a USB-device for that and, well, it's been shown already that such things can be infected even at the firmware-level, not even to mention USB-keyboards, mice and all those things that can also be compromised.
I'm fine with cold fjord getting on the front page. I don't agree with him most of the time, but that doesn't have any bearing on the quality of his submission.
"I believe that both China and Russia had access to all the files that Snowden took well before Snowden took them because they've penetrated the NSA networks where those files reside."
As a computer security professional I would be most interested in your thoughts on what were these files even doing on these networked computers
These files were not on Internet connected machines. The computers in question were networked on an isolated network called JWICS which is air-gapped from the Internet. Schneier isn't saying Russia and China hacked into them in the traditional sense, he is saying they were hacked via a mole (same way Snowden did) or via a technical means like a computer with a hidden transceiver that gets installed on the network, thereby giving access to the foreign power.
They are probaly on machines that accessed by other machines that may either permenatly or tempoarily connected to the internet. You can build malware that could be used to infect a laptop that waits until it is connected to an internal network and then grabs files for later transmission when its reconnected to the internet.
Remember that the incompetance of any goverment agency is dependant on its weakest link and tends to infinity..
In fact snowden may have inadvertantly given them cover, now they can act on the intelligence in the files they stole from the NSA directly without revealing that they powned the NSA networks because the world thinks that snowden did it.
Yep it is.... Former National Security Adviser Sandy Berger managed to pull out some classified documents obtained from the National Archives..... http://www.washingtonpost.com/...
"I believe that both China and Russia had access to all the files that Snowden took well before Snowden took them because they've penetrated the NSA networks where those files reside."
As a computer security professional I would be most interested in your thoughts on what were these files even doing on these networked computers
As a computer professional I would be most interested in why you claim the title of security professional but can't work out why files that are shared with thousand of people throughout the world would be on a network.
Snowden had physical access to the network and still had to social engineer passwords.
Anyone who thinks Snowden is the first and only person who had the access, ability, and inclination to take the data he took is as high as a fucking kite.
Or just stupid.
Snowden is just the only one who went public.
If you had been reading Bruce's posts over the last few months you'd know that there is definitely at least one other NSA leaker. As to other leakage (other than to the media) - that is the main thing that the NSA is scrambling to divert everyone's attention from. The fact that so many companies have been tasked with gathering and processing the material (not just meta-data) that FiveEyes gather - given that it's impossible to stop them using that information to advance their own corporate interests. That and the fact that a NSA core mission is to protect the economic dominance of the USA - not just "from terrorism".
Much like The US/UK let friendly ships be sunk to prevent it from being known that they had broken Enigma. With the knowledge it was broken elsewhere, they can claim they broke into the Snowden files, not the NSA files, when the reality is the opposite.
Learn to love Alaska
" Airgapped computers don't exit."
This part is true at least.
"The Adobe Updater must update itself before it can check for updates. Would you like to update the Adobe Updater now?"
There was no suggestion he was a problem, in fact i belive he is a hero too, i was just pointing out that other goverment actors may not be using him or the people with access to his trove as a source of inteligence, but as cover for activities they have already undertaken, as bruce has implied.
You cannot be very good at IT. One of those "computer security professionals" that cannot program, set up a network or analyze a large bulk of data?
Quite obvious, these documents were used in daily work and in meetings and doing that exclusively with non-networked computers is extremely hard. What you do is have a "classified net" and then you make damned sure it is secure. Of course, with the NSA being in the business of making everybody less secure these days, they may just not have the skills anymore. And they certainly have the problem that they do not know how to implement access control and how to restrict access to a small group.
Site note: If Schneier is right (and he most likely is), that means the agency that spies on everybody and keeps a file on everybody cannot keep the data is gathers secure. That should make it clear even to the dumbest person why universal surveillance is harming everybody.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Snowden had physical access to the network and still had to social engineer passwords.
Anyone who thinks Snowden is the first and only person who had the access, ability, and inclination to take the data he took is as high as a fucking kite.
Or just stupid.
As most people that are stupid (and there are lots and lots of them) have no clue that they are stupid (Dunning-Kruger Effect), that is likely the best explanation. The utter clueless nonsense that can be found even in the comments on this story are staggering. Every competent computer security expert was aware that these documents must have been stolen several times over by the time Snowden did it. There was not even a discussion about this. Schneier is merely pointing this out now for the non-experts.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Since they got a Hollywood set designer to do their operations room there are probably a long list of stupid failures from these toy soldiers possibly up to and including public internet connectivity and laptop misuse.
The mere fact that Snowden got so much and that there appears to be no records of how much he got shows some serious breakage.
One of the things that came out of the Manning leak was that an oil company operating in Nigeria already had that opinion and was very reluctant to share confidential information with US agencies.
It's useful to keep in mind there's two layers to the Snowden-betrayal array of claims.
- There's the claims that he did damage.
- there's the underlaying claim that this proves that he did wrong.
In fact whenever a whistleblower comes out, there will be some damage in some areas. The same applies to journalism. Whenever you expose wrongdoings or questionable practices from those in charge it can be argued this helps the enemy, even if only by tarring the image of the government. But I think the main point is, it should be considered an acceptable cost of transparency of governance. Transparency has been embedded in the US constitution 200 years ago for a reason. Mostly, those accusing Snowden don't understand that reason, or see no reason to bother with it. Transparency means that to some extent the governing still represent the governed(although you need to close the feedbackloop to really achieve that).
So yes, I think the claims that Snowden damaged the US foreign policy are wildly out of proportion, but I also think that as long as some precautions were taken to limit damage done, then it's acceptable. That should be the general attitude towards whistleblowers: that some damage due to disclosures is acceptable, worth it.
From a security point of view, from the moment that Edward Snowden went public you have to operate under the premise that those leaks have happened before, and that other interested parties had and still have unencrypted access to all the documents Edward Snowden took, and to other documents Edward Snowden didn't took because he either didn't knew about them or hadn't had access to them.
It pretty much comes down to how far do you dare trust your employees. Network security can only get you so far. It ultimately boils down to trusting people not to take your secrets whether they are on physical media or in their head and share or sell them.
So far as I understand it there are only a few reasons people commit espionage; loyalty to something else whether it be a principle or nation, money, or boredom. You can screen people for those things but eventually you come to a point where you just have to hope nobody sells out. The folks that can do the most damage typically aren't paid all that well, certainly not when it comes to another nation state possibly willing to spend millions to turn someone.
From a security stantpoint, "they don't know what he took" is the biggest problem. It means they don't have a logging file system. If you don't log access then you can't look for unusual patters of access, like some guy taking everything in the computer. It means the Russians only need to recruit 1 contractor with skills, and they get anything they want, forever.
Since they got a Hollywood set designer to do their operations room there are probably a long list of stupid failures from these toy soldiers possibly up to and including public internet connectivity and laptop misuse.
Maybe you could explain a few things here? For instance, why do you think that having a Hollywood set designer either design or have input to an operations room layout is a bad thing? Set designers in Hollywood are highly skilled professionals that have to mix artistic concerns with practical ones to produce a function product suitable for use. It was noted decades ago that the US Navy was interested in the layout of the science fiction program Star Trek's bridge layout, just as there was military interest in the layout of the set in the movie Wargames. You seem to have constructed this as a snarky comment that needed no explanation as to why it was bad, but I'm asking, why do you think it was bad? What fundamental failure do you think it shows to have a professional concerned with physical layout, eye lines, practicality, functionality, and utility, be involved with the design of a operations center? Which side does the failure reside, theirs, or yours? If you think it is theirs, what is your argument?
The mere fact that Snowden got so much and that there appears to be no records of how much he got shows some serious breakage.
Auditing of staff with privileged access can be a challenge, especially when they are knowledgeable, skilled, and malicious actors, which is what Snowden was. His window to operate was limited though, and was in fact closing since they were deploying software that would have nailed him. As it was his activities were detected at various points, but he was able to tell convincing lies to get away with it. It's a damn shame what he did to Australia with what he stole, don't you think?
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
So you are saying that Bradley Manning's leaks did harm the US*? Delayed recognition is better than none I suppose.
*Not that there was any real question about that. High cost, no useful outcome.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
I'm sure I replied to this but must have failed to submit it properly or something.
In short, hiring a set designer is a gross symptom of a mindset of appearance over function to such an extent that a security risk and PR failure if it leaks overwhelms any positive outcome. It's wandering into "heck of a job" horse judge territory in terms of demonstrating someone is way out of their depth.
Second, the Navy trek thing is backwards. The Navy found it interesting that Trek sets had been inspired by submarine and other operations rooms from WWII up until the 1960s. Those vertical transparent charts that look cool in Trek are descended from manual methods of finding vessels by sonar. From what's been declassified computers have been doing all that stuff on screens since the 1970s so subs don't look like that any more. The navy inspired Trek, the navy then said "that's cool", but they were not inspired by Trek themselves - such a thing is ridiculous bullshit spouted by fans who want to feel important.
The last thing - Snowden was an external contractor. The trust level should have been very very low in such a situation - massive fuckup. Such auditing is fairly pointless in such a situation where they should never have so much trust in the first place, because they just want the cash and not the core values of whatever org they are contracting to. Contractors will rip you off in a variety of ways so there should be structures in place to limit the damage, because no matter what an audit tells you one of them will fuck you around for their own benefit if you look the other way long enough.