Snowden Spoofed Top Officials' Identity To Mine NSA Secrets 743
schnell writes "As government investigators continue to try to figure out just how much data whistleblower Edward Snowden had access to, MSNBC is reporting that Snowden used his sysadmin privileges to assume the user profiles of top NSA officials in order to gain access to the most sensitive files. His sysadmin privileges also enabled him to do something other NSA users can't — download classified files from NSAnet onto a thumb drive. 'Every day, they are learning how brilliant [Snowden] was,' said a former U.S. official with knowledge of the case. 'This is why you don't hire brilliant people for jobs like this. You hire smart people. Brilliant people get you in trouble.'"
You don't get to hire smart people for this job. (Score:5, Interesting)
You either get brilliant or you get mildly capable. Smart people know they don't want to work in that environment. Brilliant people will take the job knowing they can use it to some kind of end. Mildly capable people handle requests and not much more, but are just happy to have a stable job in their field.
Brilliant? (Score:3, Interesting)
Re:so he did in fact break the law (Score:5, Interesting)
Sorry, I am a fan of him and grateful he leaked only certain documents as opposed to Manning just dumping everything out into public, but stealing classified documents to leak is a bit different than the story we've been given as a true whistle-blower.
I think the type of information Snowden took was of a different sort. He stole information detailing the existence of spying programs, how they worked and their extent putting the programs themselves at risk whereas Manning stole and leaked operational information that potentially put lives at risk by exposing agents in the field and/or operational plans in the field.
What Snowden leaked so far embarrasses the government but is not "outing" anyone as an agent. This is more inline with what a whistleblower would usually talk about. He leaked the powerpoint slides as evidence of his claims.
Re:so he did in fact break the law (Score:4, Interesting)
Re:Amended quote (Score:5, Interesting)
I'm more worried that they're saying he was "brilliant." Those actions are trivial. I'm disappointed that's all he had to do to get that info.
Agree with his actions or not, anyone who declared him anything more than "some sysadmin who took some liberties with his access" shouldn't be in charge of gathering, investigating or protecting anyone's sensitive data.
THIS.
I came to post the same thing. This is like calling a child that signs their parents name on a school note as "brilliant". Sysadmin has access to everything, it's like saying the locksmith is "brilliant" for opening the door.
Re:Amended quote (Score:0, Interesting)
Yeah, and we want to portray him as a brilliant benevolent genius who should be deified for all of time (as he's obviously so much a martyr) rather than sort of a douche who took this job just to search for something to make himself a hero before he got fired. It's all perspective.
Seriously, how long did he work for them before he found this out? Unless he's taking the fall for someone on the inside who told him this, he couldn't have had any knowledge of this beforehand. That, to me, screams "I want to become a hero, I just need to find some way to force it to happen", and regardless of how lucky he was that he found something like that and how important it was, that's setting one hell of a dangerous precedent.
What I'm saying is, the next wannabe Edward Snowden most likely won't be so lucky and might make a fool out of him/herself and the community of people who want to keep an eye on this sort of abuse.
Re:so he did in fact break the law (Score:2, Interesting)
Sorry, I am a fan of him and grateful he leaked only certain documents as opposed to Manning just dumping everything out into public, but stealing classified documents to leak is a bit different than the story we've been given as a true whistle-blower.
That is a misconception. CIA claims that the documents were classified, but since the documents describe CIA committing crimes it is clear that whoever classified the documents didn't do his job since he should have reported the crimes rather than classifying the documents.
In the end there is no way for the documents to be legally classified.
Think of it this way: Many readers here are developers and as such it is common to have to sign an NDA. This could for example prevent you from telling anyone what your company is doing.
If you after you have signed the NDA finds out that the product your company is manufacturing requires human spines and that they are harvested from homeless people it doesn't matter what the NDA says, the NDA is no longer worth shit and you have an obligation to report the crime. Anyone from the company who tries to stop you is a criminal since they are aiding the crime.
In essence. If you want to keep your actions secret, make sure that they are legal.
That's what ONE PERSON said (Score:3, Interesting)
There are thousands of "brilliant" people in many disciplines who work at NSA. Snowden was no more special than any of them, and any other decent sysadmin could do what he did, from a technical perspective.
Of course, NSA could be doing anything that someone, somewhere would still think "deserved" to be leaked; if a single individual decides to leak classified information, does that always make him/her a "whistleblower"?
Before you say, "When it reveals [insert behavior I don't agree with here], absolutely!" consider that what one person believes to be "wrong" (even if, by definition, lawful) is another person's completely justified behavior.
In a free and democratic society based on the rule of law, one who BOTH unilaterally decides to subvert the law, and along with it the processes we have built, AND flees from all consequences of their actions must be counted as an enemy of democracy.
I can hear the cries now that it's "NSA" that is the enemy of democracy; while we can disagree on exactly what the NSA should be doing and precisely how it does it, there is NO WAY that NSA can do foreign SIGINT in a digital world without having access to the exact same systems and networks that Americans and everyone else uses. The needles are all in the same haystack, and you can't have access to only the legitimate foreign intelligence targets without necessarily having theoretical "access" to everything.
Anyone approaching this issue from a remotely rational standpoint understands that to be true, and if you believe the United States should be able to conduct foreign SIGINT, the only question is the "how" â" from technical, legal, and policy perspectives. Nearly everything Snowden leaked beyond the phone call metadata collection (which is explicitly lawful and Constitutional, by definition, because of a Supreme Court ruling 34 years ago) has to do exclusively with foreign intelligence activities.
You really think that's what we need to "blow the whistle" on? That one person can decide, on their own, that they "disagree" with something, and publicly leak it? And if you're an "information wants to be free" type, or one of those who believes the US is what's wrong with the world, or that we shouldn't even be doing the level of foreign intelligence collection that we're doing, I wonder if you have ever considered that there are actual threats in the world, which are neither imaginary nor monsters of our own creation, that don't subscribe to the principles you would claim to hold dear, and which need to be countered.
By all means, keep focusing on technical errors and isolated examples of abuse, that are in fact so isolated that it represents an agency operating at near-perfection in terms of error and abuse rates.
It's a shame that you can't see the forest for the trees.
Re:Amended quote (Score:4, Interesting)
Well, you are assuming 2 things:
That being said, even if it was Linux based, the article doesn't claim he "accessed the data as root"; it says he assumed the "online" identity of top officials. In other words he logged in as, or otherwise tricked the system into auth'ing him as, other users. Of course, the very fact that the journalist calls it an "online identity" makes it clear that the journalist doesn't understand a lick of what he is writing.
Re:Amended quote (Score:5, Interesting)
"... and by the way, in order to prevent such brilliant people from exposing us like that in the future, we've just told all the sysadmins with the same access level that 90% of them will be fired."
Brilliant, indeed.
Re:Amended quote (Score:5, Interesting)
This. A thousand times this.
Read the two articles linked in the summary. They're both on NBC news and published within three days of each other, and both are essentially the same story. The difference in the articles?
The older one (byline "Richard Esposito and Matthew Cole") says, "Duh. He's a sysadmin. He's capable of creating accounts with arbitrary permissions, and of violating the air gap between the secure and insecure sides. Of course he can do that, it's in his job description!"
The newer one (byline "Richard Esposito, Matthew Cole and Robert Windrem") says, "Whoa! This guy knows how to impersonate people on a computer! No one but a brilliant uber-hacker could do that! This guy is a menace! An evil genius of a degree seen only in Bond villains!"
I don't read or watch NBC news, and I've never even heard of any of these reporters before. But my guess is that Esposito and Cole are the tech beat guys, and Windrem is managerial. If we assume stupidity, Windrem simply said "This story is dull. I'd better punch it up a bit." If we assume malice, Windrem said "This makes the NSA sound dumb. Let's play it for the brilliant hacker angle instead." If we assume conspiracy, some nice men in dark sunglasses approached Windrem and said "This story doesn't fit with our narrative of Snowden being a dirty rotten traitor. Fix it."
Re:Amended quote (Score:4, Interesting)
Oh, no. That choice of words was almost certainly deliberate, and provided by the government. By using the words "online identity", they can charge him with identity theft, and they'll have more of a chance of getting extradition from Russia. Why? Because "identity theft" sounds a lot more criminal than "read the guy's password off the Post-it on the underside of his keyboard."
Re:Amended quote (Score:2, Interesting)
Such separation of access is fundamentally impossible. You either trust the admin or you don't. Anyone who says otherwise is simply kidding him/herself.
The admin is responsible for installing software. In a matter of minutes, I can patch any app to silently write a copy of each file that the user accesses in a shared location or upload it to a server somewhere. If I'm the admin and can therefore cause those other people to run my Trojan version of the app, then their data is compromised.
What if the operating system's kernel will only run software that has been digitally signed by two or more administrators, and the computers BIOS only runs kernels that have similar signatures (using a TPM module or similar)? Now your trojan app won't run.
There are still ways around this, but they are substantially harder. You could try to fool the stupidest of your colleagues into co-signing a fake update, but if it fails you are likely to be caught. You could simply team up with other crooked administrators but then you run the risk that one of them is less crooked then you thought and will report you for even suggesting such a thing. You could take the computer offline and replace it with a similar looking one with a dummy TPM module, but this will be noticed - either the outage or the fact you are taking a computer into the datacenter for no reason. You could crack the digital signature system, but this isn't easy...
An analogy is accounting. Small businesses often only have one book-keeper and small business frauds often involve the book-keeper stealing and covering up with fake entries - for example, inventing a fake supplier and then paying imaginary invoices. In large businesses, the accounts receivable, accounts payable and bank reconciliation departments involve multiple people who may be in different offices. You would need to trust a dozen people to work together pull off a similar fraud. That's why large business frauds are usually by the people at the top - financial controllers or CFOs - and usually involve financial reporting fraud rather than asset appropriation.
Re:Amended quote (Score:4, Interesting)
So there you go - even professionals that work with computers a great deal think something as simple as ping is a dirty hacker tool of evil, and it's a far more common mindset than my single example. They are so deluded that they see me as a "white hat cracker" just because I use nmap, tcpdump and the rest.
Also don't take this as a rant against engineers. I was one for a couple of decades until I wandered into IT via cluster computing.