Snowden Spoofed Top Officials' Identity To Mine NSA Secrets

schnell writes "As government investigators continue to try to figure out just how much data whistleblower Edward Snowden had access to, MSNBC is reporting that Snowden used his sysadmin privileges to assume the user profiles of top NSA officials in order to gain access to the most sensitive files. His sysadmin privileges also enabled him to do something other NSA users can't — download classified files from NSAnet onto a thumb drive. 'Every day, they are learning how brilliant [Snowden] was,' said a former U.S. official with knowledge of the case. 'This is why you don't hire brilliant people for jobs like this. You hire smart people. Brilliant people get you in trouble.'"

Amended quote

[rsborg]

"Brilliant people get you in trouble.'"

More like "Brilliant people expose the trouble you're currently in".
The security-state here keeps saying "if you don't have anything to hide, then you don't need privacy"

Well, if the NSA weren't doing shit that warranted whistleblowers, they wouldn't have the problems they currently do.

Re:Amended quote

[Rob Riggs]

That's why I play dumb. Yeah -- that's it. I'm really brilliant in disguise so I will get hired. And keep up the facade so I won't get fired.

Re:

[binarylarry]

*ahem* fuhsawd

Re:No time for joking! U.S. government corruption.

[Culture20]

The U.S. government is extremely corrupt, in many ways. It amazes me how often U.S. citizens joke about that, or change the subject, showing that they don't care.

They care. They change the subject because they feel powerless to change the corruption. Everyone they ever voted for turned out to have a hand in the cookie jar. And now the politicians no longer have a guilty look when caught. Instead, they demand to know why we didn't refill the cookie jar.

Re:Amended quote

[lorenlal]

I'm more worried that they're saying he was "brilliant." Those actions are trivial. I'm disappointed that's all he had to do to get that info.

Agree with his actions or not, anyone who declared him anything more than "some sysadmin who took some liberties with his access" shouldn't be in charge of gathering, investigating or protecting anyone's sensitive data.

Re:

[timeOday]

The "brilliant" comment was obviously not in specific reference to the sentence that was placed before it in the slashdot summary. If he did anything especially clever, I would guess they are not publicizing the details.

Web of trust

[microbox]

I wouldn't say obviously. In my experience, decision makers work in a web of trust, and are completely blind sided by little technical details.

Re:Amended quote

[aaaaaaargh!]

I'm more worried that they're saying he was "brilliant."

Yeah, well, that's because they want to portrait him as a brilliant evil genuis who should be incarcerated for the rest of his life (as he's obviously so dangerous) rather than just a guy who downloaded stuff on his thumbdrive because their internal security was shit.

Re:Amended quote

[jedidiah]

Just goes to show what utter trash journalism has become. Invariably, if you have any knowledge of a subject you can't get over just how badly "journalists" get things wrong or intentionally leave out crucial details.

A sysadmin had root? Imagine that?

Re:Amended quote

[ColdWetDog]

And exactly when do you think this was different? When Walter Cronkite was alive? When Ogg told Grog what happened to Paris the other night?

Is this way, was this way, will always be this way.

Re:Amended quote

[interkin3tic]

I agree, same thing with music, movies, and probably anything. You remember the highlights, not the mundane, average, everyday shit. For every Woodward and Bernstein uncovering watergates, you have ten thousand reporters dutifully transcribing whatever it is the press secretary or other spokesperson tells them and handing that propaganda over to the consumers. We remember the great ones who stand out, the rest are forgotten. That can be misinterpreted as assuming that all the past reporters were good. Same thing if you look back on the movies of yesteryear, you only keep the ones that are good, it can be tempting to compare the classics to the shit currently in theaters and conclude that only good movies were made decades ago and only shitty movies are made now.

The good news is, it's ALWAYS happened, so it's not like civilization is crumbing. Journalism has pretty much always been this shitty, so we're not heading into a dark age. At least, not because of that. Also with the internet, that's something that actually can change journalism and is. So it's not getting worse, and it could get better.

I'm very optimistic, and I think I have good reason for that. For example, before the internet this story [cnn.com] would have stood on its own. Rumsfeld making a blatantly hypocritical statement, without the "journalist" bothering to note Rumsfelds hypocrisy, would have been just out there for people to read without any crosstalk. The comments on it point out that problem, and perhaps the article will get updated or corrected. Not likely, but more likely than it would have been 20 years ago.

You're wrong about Cronkite

[almechist]

And exactly when do you think this was different? When Walter Cronkite was alive? When Ogg told Grog what happened to Paris the other night?

Is this way, was this way, will always be this way.

I’m sorry, no. Things most definitely were NOT always like this. When Walter Cronkite told you “that’s the way it is,” you could believe that he was reporting as accurately as he could, using material gathered by some of the best investigative journalists in the business, and most importantly, with little or no thought to whether the news he was reporting would negatively affect or offend the corporate bosses at CBS. There was a reason he was called “the most trusted man in America,” because he literally was just that, continually ranked in polls for trustworthiness above presidents, clergymen, fellow pundits, you name it. You don’t get that kind of reputation unearned.

Hard to imagine today, but back then the networks genuinely competed against each other for viewers, and news departments quickly became the most prestigious part of that struggle. There was very little editorializing, and almost none that wasn’t clearly labeled as such. The networks simply didn’t try to spin things a certain way as we see now. I suspect enforcement of the Fairness Doctrine had a lot to do with that, certainly it seems like the long decline of the American media began soon after the FCC decided to do away with the FD, along with many other existing useful regulations, such as the ones preventing industry consolidation into exactly the kind of huge media conglomerates we have today. Those long forgotten regulations were perhaps a big part of why the media in those days was so much more trustworthy than what we have now, although I can‘t prove this.

The end result is that today when I access any of the big American news organizations, I no longer believe I am getting the best information possible. Everything has to be taken with a grain of salt and a dollop of serious consideration regarding the parent company’s corporate stance on a given issue. More and more I find myself having to look at overseas sources (BBC, etc) to get any real feel for how things truly stand. It’s a sad state of affairs, and one that is very hard to convey to those born and raised in post-Reagan America. The news media in those days was far from perfect, but for trustworthiness, believability, accuracy, and absence of pervasive editorial slant, it was in general far superior to anything existing today.

Re:Amended quote

[retchdog]

Didn't the NSA contribute significantly to SELinux, the entire point of which was to enforce access controls so that root wouldn't be omniscient?

Either they weren't using it internally (which would be a bit odd, but not surprising), or they were using it improperly (which is extremely likely), or it was implemented correctly and Snowden was actually very clever (which is somewhat unlikely).

Re:Amended quote

[Zero__Kelvin]

"The NSA has already identified several instances where Snowden borrowed someone else’s user profile to access documents, said the official."

Well, you are assuming 2 things:

1. 1) The journalist is using correct terminology
2. 2) The system in question was Linux based.

That being said, even if it was Linux based, the article doesn't claim he "accessed the data as root"; it says he assumed the "online" identity of top officials. In other words he logged in as, or otherwise tricked the system into auth'ing him as, other users. Of course, the very fact that the journalist calls it an "online identity" makes it clear that the journalist doesn't understand a lick of what he is writing.

Re:Amended quote

[dgatwood]

Of course, the very fact that the journalist calls it an "online identity" makes it clear that the journalist doesn't understand a lick of what he is writing.

Oh, no. That choice of words was almost certainly deliberate, and provided by the government. By using the words "online identity", they can charge him with identity theft, and they'll have more of a chance of getting extradition from Russia. Why? Because "identity theft" sounds a lot more criminal than "read the guy's password off the Post-it on the underside of his keyboard."

Re:Amended quote

[Zero__Kelvin]

Maybe they read this [nbcnews.com].

Re:Amended quote

[TheNastyInThePasty]

The problem is that almost all news consists of reporting what politicians and other figures are saying, rather than doing any ACTUAL research. Any sentence implying that Snowden is "brilliant" for using his privelages in the way that he did should be immediately followed by a line in the news story saying "However, our research shows that anyone with a passing interest in computers and especially systems administration could have done the same thing with ease". Journalists need to start calling people out on their bullshit with actual facts rather than reporting "Well according to obviously biased source A..."

Re:Amended quote

[Kal Zekdor]

..."However, our research shows that anyone with a passing interest in computers and especially systems administration could have done the same thing with ease"...

Why do you think the NSA is trying to get rid of all their sysadmins?

Re:Amended quote

[lightknight]

For the same reason that the Air Force is trying to get rid of all of their jet mechanics -> they're obviously in a position to promote sabotage, and should not be let anywhere near a plane, even to do their jobs, because of what they might do; instead, they need to be watched by people who have zero understanding of what it is they are attempting to accomplish, and who will question them every step of the way, until that aggravation forces them into acting out some 'aggression.'

Re:Amended quote

[Zero__Kelvin]

"Journalists need to start calling people out on their bullshit with actual facts rather than reporting "Well according to obviously biased source A...""

Each journalist gets to do that exactly once, after which he will never be granted an interview with the same agency again. I'm not saying it is right ... I'm just saying. There aren't many real journalists left in the US, unfortunately.

Re:Amended quote

[Jason Levine]

There are, but unfortunately they are on The Daily Show and Colbert Report and they mask their journalism as satire/comedy. It's sad when the comedians make better journalists than the journalists do!

Re:Amended quote

[Anonymous Coward]

How do you propose keeping a sysadmin that needs root access to do their job from being able to copy something to a thumb drive? You can ban thumb drives, but then they could just write the files to a different server that they can access from home. If someone needs root access for their job, there's no amount of security that can keep them from either copying secrets or breaking the system if they're so inclined. The only solution is hiring trustworthy admins.

Re:Amended quote

[Zero__Kelvin]

" The only solution is hiring trustworthy admins."

No. You have that bass-ackwards. The whole problem is that they hired a trustworthy admin. They should have hired one who was willing to be complicit in their crimes.

Re:Amended quote

[Zero__Kelvin]

... as opposed to NSA spies, who of course never lie. I doubt he actually said those things, but even if he did it is his motive that matters. My Mother lied to me and told me there was a Santa Claus. By your erroneous rationale she is, therefore, untrustworthy. Furthermore, by your rationale every NSA employee is untrustworthy.

". You only consider him "trustworthy" because you agree with his crimes"

... and you are only spewing ridiculous shit on Slashdot because you agree with the NSA's crimes. If I have a choice between a guy who rapes the constitution, and the guy who lies to expose the rapist, I'll choose the latter every time. Your mileage clearly varies.

Re:Amended quote

[Richy_T]

The only problem is, if you're doing things which are unconscionable, your only choice is to hire someone without a conscience. And there goes your trustability.

A corollary

[Myria]

The best way to stop whistleblowers is to stop giving people a reason to want to blow the whistle.

Re:Amended quote

[bws111]

You start with an OS that has proper separation of duties so that there is no 'root access'. For instance, the person responsible for maintaining the software on the system should not be able to access any data other than the software he is maintaining. The person 'operating' the system (startup, shutdown, network control, etc) also does not need access to user data. The person doing security admin should not be allowed to alter his own authority, and does not need access to user data. Etc. Relying on 'trustworthy admins' is just stupid.

Re:Amended quote

[Motard]

Mod this up. I know one large pharmaceutical company that requires dual logins (i.e. two sysadmins) to do anything out of the ordinary - and everything is logged. Why the f-ing NSA can't do this is beyond me.

Re:Amended quote

[lightknight]

Well, they'd have to, wouldn't they? I mean, come on...anyone who has worked IT has been laughing at the NSA's published accounts of Snowden's 'infiltration' and 'hacking' since day one; a jury of his peers would have trouble seeing him as using any special means to access the information contained therein.

The only people who would find this surprising are people who are JUST NOW being introduced to how computer security works, or why network admins used to be paid extremely well. It's like pointing out to the President of a large corporation that their chief shark (head legal counsel) knows exactly what evil they've been doing for the last several years, and that they've been cutting his wages relentlessly for years...if this is news to them, they need to be fired; they're obviously not qualified to run a hamburger stand, let alone a large entity.

What more, their extreme stupidity, in the form of 'doubling down' when confronted with a threat is somehow a perfect epitaph to their lifestyle. Years of treating the servants poorly, now facing paranoia, they turn to violence to instil a sense of loyalty in their 'troops.'

Re:Amended quote

[VortexCortex]

Investigators are baffled at the sophistication of the attack, being that PRISM grew out of ECHELON & Carnivore which was ported from old Unix systems to run on the more secure Microsoft OS platform. Compromise was thought highly unlikely especially since many employees are on record citing the feats "nearly impossible to remotely administer."

Experts say Snowden used the an obscure "Shell Command", frequently associated with copyright pirates, to display every last file he stole: "De Aye Yar!"
Worse still, reports confirm that C.P. was his favorite, and was integral to his hacking scheme! Won't someone think of the children?!

Re:Amended quote

[Chelloveck]

Yeah, well, that's because they want to portrait him as a brilliant evil genuis who should be incarcerated for the rest of his life (as he's obviously so dangerous) rather than just a guy who downloaded stuff on his thumbdrive because their internal security was shit.

This. A thousand times this.

Read the two articles linked in the summary. They're both on NBC news and published within three days of each other, and both are essentially the same story. The difference in the articles?

The older one (byline "Richard Esposito and Matthew Cole") says, "Duh. He's a sysadmin. He's capable of creating accounts with arbitrary permissions, and of violating the air gap between the secure and insecure sides. Of course he can do that, it's in his job description!"

The newer one (byline "Richard Esposito, Matthew Cole and Robert Windrem") says, "Whoa! This guy knows how to impersonate people on a computer! No one but a brilliant uber-hacker could do that! This guy is a menace! An evil genius of a degree seen only in Bond villains!"

I don't read or watch NBC news, and I've never even heard of any of these reporters before. But my guess is that Esposito and Cole are the tech beat guys, and Windrem is managerial. If we assume stupidity, Windrem simply said "This story is dull. I'd better punch it up a bit." If we assume malice, Windrem said "This makes the NSA sound dumb. Let's play it for the brilliant hacker angle instead." If we assume conspiracy, some nice men in dark sunglasses approached Windrem and said "This story doesn't fit with our narrative of Snowden being a dirty rotten traitor. Fix it."

Re:Amended quote

[indian_rediff]

From the first three paragraphs of the second TFA:

When Edward Snowden stole the crown jewels of the National Security Agency, he didn’t need to use any sophisticated devices or software or go around any computer firewall.

All he needed, said multiple intelligence community sources, was a few thumb drives and the willingness to exploit a gaping hole in an antiquated security system to rummage at will through the NSA’s servers and take 20,000 documents without leaving a trace.

“It’s 2013 and the NSA is stuck in 2003 technology,” said an intelligence official.

Doesn't look like he is portrayed as 'brilliant'. Just a bad quote taken from the article to 'made you look!'

Re:

[SirGarlon]

Spoofing someone's user ID is not brilliant, but finding and exfiltrating 20,000 documents without getting caught may have been harder than it sounds.

Re:Amended quote

[interkin3tic]

Snowden raises two issues for the NSA. He exposed their crimes, and he also made them look really bad.
br. By saying he was "brilliant," they deal with the second one. "What? No, this isn't a security lapse. This is a supervillain spy hacker genius! We've dealt with him, there's no one else out there who can penetrate our defenses. You're safe. Ask no more questions, there are no monsters under your bed, save for the ones you pay us to protect you from."

Re:Amended quote

[Cow Jones]

"... and by the way, in order to prevent such brilliant people from exposing us like that in the future, we've just told all the sysadmins with the same access level that 90% of them will be fired."

Brilliant, indeed.

Re:Amended quote

[iamhassi]

I'm more worried that they're saying he was "brilliant." Those actions are trivial. I'm disappointed that's all he had to do to get that info.

Agree with his actions or not, anyone who declared him anything more than "some sysadmin who took some liberties with his access" shouldn't be in charge of gathering, investigating or protecting anyone's sensitive data.

THIS.

I came to post the same thing. This is like calling a child that signs their parents name on a school note as "brilliant". Sysadmin has access to everything, it's like saying the locksmith is "brilliant" for opening the door.

Re:Amended quote

[dbIII]

I'll add another - a young "computer systems engineer" came to me and said a system was down. I asked, to try to find out some details of whether it was a service or the entire host "how do you know, did you ping it?" The reply was "nothing so sinister".
So there you go - even professionals that work with computers a great deal think something as simple as ping is a dirty hacker tool of evil, and it's a far more common mindset than my single example. They are so deluded that they see me as a "white hat cracker" just because I use nmap, tcpdump and the rest.
Also don't take this as a rant against engineers. I was one for a couple of decades until I wandered into IT via cluster computing.

Re:Amended quote

[davecb]

Any kind of honest person gets you in trouble, if you're doing something they don't consider honest. Ditty any kind of ethical person, moral person, etc. Of course, any of these can be wrong about whether or not you're doing something dishonest.

Conversely, any kind of dishonest (unethical, immoral, etc) person can get you in trouble if they do something dishonest, unethical, etc.

It doesn't matter who you're hiring, if what you do can be misused, at some point you'll need to discover, usually publicly, if it's being misused or not.

Cops are used to that: they often have people "watching the watchers". Spies aren't used to it, they're used to keeping stuff secret, so they have way more trouble with it (:-))

--dave

Re:

[Anonymous Coward]

squawk squawk squawk

Quite a shrill shill. Crackpots and paranoids and conspiracy theorists knew the government was listening to everything all of us do all the time.

Now we all do. That's an achievement. Maybe not worthy of the mission impossible theme song, but an achievement nonetheless.

This message will self destruct in 5 seconds...

Re:Snowden was never a "Whistleblower"

[Hatta]

I've written this before, with links just like now...if you want to disagree, if you want to claim Snowden *did* release valuable information and not just technical details for things we already knew existed...you have to show evidence.

The evidence that Snowden's leak was valuable is on the front pages every day. Before Snowden, the NSA was in the news once or twice a year, buried in newspapers. After Snowden, the NSA is in the news almost every day. The disclosures may or may not be new, but the public attention is.

Re:

[Anonymous Coward]

More importantly, he released information in a way that made it incontrovertible. It wasn't some retarded infowars release right after a video about weather control and right after another about reptilian humans.

Re:

[Coeurderoy]

I guess that for the unnamed official, anybody with minimal competencies in what they do are "brilliant", he probably is probably the "amicable jock" kind who instinctively distrust anybody who applies some analytical skills to a situation, instead of just waiting to be told what to do.

About the info that Snowden leaked in practice there was strictly nothing new, but it removed a thin layer of "plausible deniability".
Unfortunately it also moved the conversation from "is this acceptable" to "is Snowden a ba

link here this time for real

[globaljustin]

http://yahoo.usatoday.com/news/washington/2006-05-10-nsa_x.htm [usatoday.com]

that's it

sorry again...gah I need to go back to typing school

Re:Snowden was never a "Whistleblower"

[TheCarp]

You're missing the forest for the trees friend. The significance of Snowden is not what he leaked by itself. As you said, we /.'ers "knew" that something like this has been going on for at least the last 10 years. The significance is the breadth of surveillance and how the NSA reacted to him leaking it.

I really liked the pace of the disclosures. First he discloses a few things, the officials come out and start spinning and making up lies for the public about what is really happening, then the next disclosure comes out, exposing exactly what they just lied and said wasn't happening.

That was just....masterful.

I can understand wanting to keep secrets, but there is no excuse for telling lies to the people. Its ridiculous that I or anyone can be charged for telling lies to the FBI, but, the politicians can't be charged with telling lies to us.

Brilliant?

[Traze]

So, having a way to change your identity to another users is brilliant? All System Admins must be brilliant!

Re:

[The MAZZTer]

Hey guys I found this command called su which serves the sole purpose of allowing you to impersonate other users!!!!

Re:Brilliant?

[Phics]

Perhaps if the right people make Snowden seem like a mad brilliant genius, the public will brush aside questions of how secure processes at the NSA are?

Re:Brilliant?

[Coeurderoy]

So, having a way to change your identity to another users is brilliant?

All System Admins must be brilliant!

That is certainly the opinion of most sysadmins :-)

You don't get to hire smart people for this job.

[intermodal]

You either get brilliant or you get mildly capable. Smart people know they don't want to work in that environment. Brilliant people will take the job knowing they can use it to some kind of end. Mildly capable people handle requests and not much more, but are just happy to have a stable job in their field.

Re:

[Anarchduke]

Hey i'm mildly capable to downright incompetent, maybe I can get Snowden's bosses job!

Brilliant?

[khb]

Surely someone at the NSA knows about multi-level security, SELinux, and the like. No one should have had root access. Having architected the system so poorly, it hardly took a genius to walk off with their secrets.

Re:Brilliant?

[hjf]

Yes... surely SOMEONE at the NSA knows about SELinux!

Re:Brilliant?

[Anonymous Coward]

Best comment I have read in a long time.

For those who don't get it (although this is SD, so there shouldn't be), the NSA wrote SELinux.

Re:Brilliant?

[chthon]

No, it was someone brilliant who impersonated as the NSA to publish SELinux.

Re:Brilliant?

[ThatsNotPudding]

Yes... surely SOMEONE at the NSA knows about SELinux!

There was one guy, but he left.

No, you don't have to have root access.

[Anonymous Coward]

A properly compartmented system doesn't have root.

A security manager (that doesn't have access to installation tools, network, operations or storage, but has lots of system activity logs)

A systems engineer (that doesn't have access to user files or security manager functions)

An operational staff (that doesn't have access to user files, security manager functions, OR installation tools)

A network engineer (that doesn't have access to any of the previous three).
And frequently, a storage engineer that doesn't have access to any of the previous 4).

Thus, separation of duty. Improper access always raises an alarm. A violation requires collusion between 3 or more people - MUCH easier to detect.

It is usually the security manager that authorizes new users. The operations staff may initiate the installation of those users - but it is still the security manager that enables them.

And yes, a storage engineer doesn't need access to user files - he may have his own files for testing/evaluation. But he can initiate load balancing that may cause user files to be relocated - but that does not give him access to the data.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Brilliant?

[Capt.DrumkenBum]

Umm, ok, now you have to be brilliant to "sudo su ".

According to 99.99999% of the population. Yes.
Which of course makes most of us here freaking geniuses.

Re:Brilliant?

[Dagger2]

There has to be more than 700 people who consider that to be simple.

Re:Brilliant?

[Rob Riggs]

Umm, ok, now you have to be brilliant to "sudo su ".

Sucker. Now you'll never get hired by the NSA.

Re:Brilliant?

[MiniMike]

Well, which sounds better as a defense?

1) We got hacked by methods any average or better than average sysadmin could use. Thus our entire architecture is at risk at this can happen multiple more times. We have no adequate defense against this, and are thoroughly screwed.

or

2) We got hacked by a BRILLIANT HACKER! No one could have foreseen the ninja-like moves he used against us! Now that we've closed the obscure loophole that he used, the only flaw in our otherwise perfect system, our files are safe for eternity! Yay us!

It seems like they're going with #2.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Ahh, that explains it.

[Anonymous Coward]

That explains why they really, really, really wanted to get their claws into him.

Forget the extreme negligence of morality of what they were doing, forget the fact that he leaked those secrets to international press.

It's just 100% pride. And I bet those top officials are the ones gunning for him.

Until they realize that what they were doing was unacceptable, this will continue.

And I expect it will continue for a very long time..

"Brilliant"? Hardly

[Jane Q. Public]

"This is why you don't hire brilliant people for jobs like this. You hire smart people. Brilliant people get you in trouble." -- a former U.S. official with knowledge of the case.

Um... no. What is described in TFA is not "brilliant" at all, but a necessary part of being a sysadmin: you have control over user profiles.

The fact that the "former official" does not seem to realize this does not lead us to conclude that Snowden was brilliant... but rather that the mentioned official was anything but.

Read between the lines

[ThatsNotPudding]

What they _really_ want are sociopaths; people (Men) that have no empathy for others and kinda get off on having great power and lending a hand in bringing suffering and grief to 'things' they have no more sympathy for than ants under their magnifying glass.

The greatest enemy of the NSA, et al is conscience.

Re:"Brilliant"? Hardly

[gstoddart]

Is it really, though. Wouldn't it be technically possible to create a system where not even root is able to login as a user

Not in any system I've ever seen.

The admin needs to be able to pretty much do everything on the system .. create stuff, delete stuff, raw access to whatever the data is stored in. That's kind of how you do the admin stuff in the first place.

I've been the admin on various systems over the years, and I've never seen a system where you don't have access to everything. That I only look at stuff when I'm supposed to, and even then strictly just enough to do what I need to means I take it seriously. And because I don't want the hassle of knowing more than I need to in order to do my job (and keep it).

I've also been in places where the admin did step outside of their role and poke into things out of curiosity or spite. Those can be fun to identify or fix.

You essentially have to trust your admins and choose carefully. But if you need someone to be able to fix or repair stuff, that requires full access in most cases.

I can almost guarantee you, your DBA, your Exchange Admin, and your sys admin can access pretty much everything on those systems. I'm not even sure what you'd need to have in order to have a system which allowed you to not trust the admin -- but it would have to be a significant departure from most everything we have now. And it would probably leave you a lot of situations in which the admin looks at you and says "bummer dude, but you guys locked me out, so I can't help you".

oblig Avengers...

[Tridus]

The only thing that came to mind with the suggestion that they not hire brilliant people:

"An intelligence organization that fears intelligence? Historically, not awesome."
- Tony Stark

"Former U.S. official"

[EMG at MU]

Sometimes I feel that these "former U.S. officials" and "anonymous staff members" should STFU. It just seems like they use their anonymity to say random shit that will create headlines and stroke their ego. The "don't hire brilliant people" quotation is just stupid. No one that would have to be responsible for their words would say that.

Brilliant?

[Kreplock]

A sysadmin manipulating access privs hardly seems brilliant. Now if he'd leveraged some software exploits shortly before implementing patches that address said exploits, that would indicate a much greater knowledge of the systems he was looting - a certain grace or panache, if you will. I guess this "brilliant" quote is what you get when people who see these systems as a black box are doing the talking. I'm thinking reality resembles less Snowden brilliance and more NSA caught with their pants down.

Seriously?!?

[SecurityGuy]

This isn't brilliance, this is just poor security. This is systems that had a vulnerable audit trail, or didn't bother auditing enough, or created records no one ever looked at. Surely user snowden su-ing to some top official throws a red flag somewhere, right? If not, why not?

Re:

[Anarchduke]

aboslutely. it sent an immediate red flag to the sysadmin who would then... ummm.. huh.

Re:

[chuckinator]

Incorrect. man audisp-remote(8)

It will happen again (hopefully)

[Alain Williams]

Inside the NSA is probably an amusing place to bea fly on the wall at the moment. All sorts of new procedures to try to stop someone else doing the same thing. However: it won't work, any defences that a man can put in place can be circumvented by another man, especially one working on the inside. They can make it hard, but not impossible - at least if they want their systems to remain useful. They have, at some level, to trust people to be able to operate.

The only way that the NSA can stop future embarassing revelations is for it to behave in a reasonable and moral way. That means a complete change of culture.

I did not say ''behave in a legal way'' since corrupt laws can easily be written.

So everything was true ...

[gstoddart]

It sounds like despite the initial protestations of how he'd exaggerated his abilities, and those of the surveillance program ... it's all proving to be true.

That his sysadmin privileges let him access stuff which was much more classified doesn't change that the system is capable of doing this, and likely is on a large scale.

So we've got a wide-reaching, in cases probably illegal system which can and does tap into everything -- and apparently the amount of oversight and controls they have on this is very limited.

Unofficial statements from NSA

[mounthood]

All these people "with knowledge of the case" better watch-out they don't go off-message or they could find themselves hunted as whistle-blowers too, but they'll be OK as long as they keep talking about Snowden and not crimes he exposed.

Dear NSA

[onyxruby]

You need to hire some of these "brilliant" people so that you don't get snowed by a Snowden. By all accounts he accomplished what he did by having incompetent management above him. This was a management problem, and one that you knew better about, or should have known better about - if you had some of those brilliant people who knew what they were doing in management!

What?

[bmo]

" 'This is why you don't hire brilliant people for jobs like this. You hire smart people. Brilliant people get you in trouble.'"

No, what happens is when you do shit that shocks the conscience, someone, somewhere, is going to expose you for the douchebag that you are.

Stop being a douchebag.

--
BMO

Man with keys to Ft Knox says anyone can get in

[Overzeetop]

So the whole "anybody could get access to this data at any time, even without a court order" is really more like "anyone with the appropriate privileges, which is limited to a select number of analysis, can access these records, which are protected by a court order. Except, of course, the sysadmin who breaks all of the rules, steals the credentials of authorized analysis, and then downloads whatever he wants.

Short of giving one key to a judge in a two key system and tying up an entire justice department staff to baby site every single access, there isn't a way around this particular scenario. It's baked into the whole clearance and trust model.

Consider the source

[fastgriz]

Given their track record, anything the NSA says should be considered to be a lie. Therefore, if they say Snowden used his 1337 h4x0r skillz to break the rules, it is a safe bet that he did not do anything of the sort and the NSA is just fabricating a story to pacify lawmakers asking how this could happen. Since they commit perjury in front of Congress with impunity, lying to reporters wouldn't even be a blip on a NSA spin-doctor's moral radar.

Re:

[Cro Magnon]

"Brilliant" is relative. In the land of the blind, the one-eyed man is king.

Re:Brilliant?

[Coeurderoy]

In the land of the blind the one-eyed man directs traffic.

In the land of the blind the one-eyed man gets beaten up by the mob who thinks he talks funy and pretends "see" things that are farther that you can touch so is obviously a dangerous mad man.

Re:so he did in fact break the law

[hcs_$reboot]

What makes him -not- a whistleblower? He spotted illegal actions from his client (NSA) and used his privileges to prove him right.

Re:so he did in fact break the law

[schneidafunk]

You mean he abused his privileges. He is a low level tech, not privy to high level discussions. Compare him to Mark Felt, who was in a position of power and knew for certain through his daily dealings that the administration was abusing his power. He didn't have to raid Nixon's private files to show it. Here's a better analysis [theatlantic.com] for you.

Re:so he did in fact break the law

[metrix007]

It sounds like he abused his privileges to confirm his suspicions, and then took a course of action. Which is the right approach, depending on the suspicions.

Re:so he did in fact break the law

[shaitand]

Snowden's abusing his powers is an act of civil disobedience. The same tatics were used by Ghandi and the civil rights movement. It's a wrong that warrants a "tsk tsk, don't do that" and a stern look. He did it to expose evils so great and widespread that it would be hard to figure out which of the hundreds involved who merit it should be executed for treason first. That's not shoot the messenger here.

Re:so he did in fact break the law

[aristotle-dude]

Sorry, I am a fan of him and grateful he leaked only certain documents as opposed to Manning just dumping everything out into public, but stealing classified documents to leak is a bit different than the story we've been given as a true whistle-blower.

I think the type of information Snowden took was of a different sort. He stole information detailing the existence of spying programs, how they worked and their extent putting the programs themselves at risk whereas Manning stole and leaked operational information that potentially put lives at risk by exposing agents in the field and/or operational plans in the field.

What Snowden leaked so far embarrasses the government but is not "outing" anyone as an agent. This is more inline with what a whistleblower would usually talk about. He leaked the powerpoint slides as evidence of his claims.

Re:so he did in fact break the law

[dkleinsc]

Manning stole and leaked operational information that potentially put lives at risk by exposing agents in the field and/or operational plans in the field.

Except that in the Manning leak, the military or intelligence agencies have yet to point to a single agent or operation in the field that was stopped due to the leak. They've just repeatedly asserted this point without proof, and that means significant numbers of Americans believe them.

Re:so he did in fact break the law

[reve_etrange]

Don't forget, she leaked "collateral murder." That is whistleblowing if ever a whistle has been blown.

Re:so he did in fact break the law

[DinDaddy]

Explain how any whistleblower is supposed to expose something if they are not allowed to make information public that the public does not already have access to?

Re:

[schneidafunk]

My point is I was under the impression he had the information readily available to him through his job, like Mark Felt. "Hacking" into areas he has no business in is a different story than what has been presented. It makes his defense, if he were to come back to the U.S., deserving of protection under the whistleblower status less credible.

Re:so he did in fact break the law

[s.petry]

Technically they are not supposed to go immediately to the public. Military, Government, and DOD people are supposed to use the chain of command first. Unfortunately, this does not work in most cases since the chain of command in a corrupt organization is also corrupt. Numerous court cases and stories are to be found regarding how internal whistle blowers are treated (sometimes killed with their whole family, etc...)

What Snowden did in this case is correct. Not going public mind you, but going to journalists who are supposed to be working for the public's interests.

What I, and many others, find so interesting is that our media has become so corrupt that we have to have alternative news sources which hold the original 'credo of journalism' in mind when working. I'm sure if he turned the data over to the NY Post, he would have been in jail and the public would still have no knowledge.

Lengthy chain to get to the point, but the point is that he did not go "public". He went to journalists, and did so correctly in my never so humble opinion. Part of the journalism credo is to determine what to release to the public in order to present the story while protecting the Government.

Re:so he did in fact break the law

[Darkinspiration]

I'll point you to a huge corruption case currently ongoing in Quebec, It's a textbook case of having internal affair that is not working properly and become so useless that it's not even a stopping block to the corruption system. Stories like the construction contract in the city of laval where internal affair was in the system of Montreal where internal affair was flushed.... Yeah, it's not always that easy.

Re:

[epyT-R]

Not when these actions expose illegal behavior by the government... Remember, it was this government that created such law in the first place. The more of their own law they violate, the less legitimacy they have.

Law and ethics are not necessarily congruent.. in fact, a lot of times, they aren't, but are passed off to be by politicians and ideological zealots.

Re:Integrity

[h4rr4r]

People with integrity are not going to be working for the NSA. Kinda runs counter to what they do.

Re:

[Anubis IV]

Or maybe they didn't know about this sort of stuff at the time they joined it? Seems to me that most whistleblowers end up blowing the whistle because things were not what they expected as they got higher up in an organization or were exposed to more of its inner workings. If everyone with integrity had enough information to steer clear of the jobs that had them doing illegal/immoral/otherwise wrong stuff, we'd never have any whistleblowers, since those people would all be working for upstanding organizatio

Re:

[tgd]

People with integrity are not going to be working for the NSA. Kinda runs counter to what they do.

The NSA didn't somehow magically find and hire many thousands of evil people, any more than the military managed to find and hire a quarter million murderers. People tend to take jobs like that because they believe in what they're doing, and because they believe they're helping. Now, their beliefs may be wrong by your opinion, or by a large swath of society, but it doesn't invalidate their beliefs or suggest they have no integrity. In fact, I'd argue its the exact opposite. They have so much integrity, they

Re:Integrity

[mwvdlee]

The problem is that integrity usually comes with morality.
A moral person does not cover up injustice.

Re:We're fucked

[bware]

OMG these people are looking incompetent. OTOH the general public may believe them and think snowden has super powers and this isn't someone elses fault.

This isn't about competence or incompetence. It's about putting as negative a spin as possible on Snowden.

Float a lot of trial balloons, make sure negative things get out there via anonymous sources, even if rebutted the next day, then the "traitor" contingent can forever quote the negative and leave the detailed rebuttals to others, which no one will read.

To wit: in this thread, Manning is excoriated as a traitor for releasing all the documents unredacted, but Manning did not - that was accomplished when professional journalists from the Guardian published the passphrase for an encrypted file.

Re:sure

[Coeurderoy]

Yeah, hire that incompetent idiot who will design the security precautions wrong in the first place. That'll work a lot better.

Can't do that, he left three years ago and is now working for something like northrop grumman or bechtel .... selling platforms to the NSA...