The use of the word "impersonated" stinks to high heaven. There is a big difference between an admin logging in as someone else and someone "impersonating" someone on TV or over the phone.
That would be like having secret documents in a drawer marked "John Smith," then saying that someone who opened that drawer and took some documents was "impersonating" John Smith.
Then there's the bit about "hiring brilliant people." What's so brilliant about someone with root access having access to everything? Nothing. That's what root access enables. It's not a case of Snowden's brilliance. It's a case of the NSA's administrative incompetence: there should be auditing in place.
EDIT: So there was RBAC in place. Evidently, the implementation was botched. Amounts to the same thing: "security theater." This actually bolsters Snowden's case that whistleblowing was justified.
If the NSA didn't guard against him using accounts with more clearance to download documents he wasn't supposed to have access to, I don't think Snowden's intelligence is what we should be worried about.
Which I don't understand... they're claiming that we should trust them but they aren't (or shouldn't be [hiring]) the most brilliant people. So, how many other holes exist in their systems and oversight that are unknown because there aren't brilliant people finding them?
Wasn't the original story that he was a high school dropout, glorified keyboard jockey who was way overpaid for what his job entailed? These guys need to get the message straight.
Was he brilliant? Or is that just a story -- "nobody else out of NSA's 20,000 employees is spying on people they shouldn't because they're just "great" not "brilliant", so don't worry!"
I know the article is only to report what is said and it might be taken out of context. However, I am disturbed by the kind of mentality around hiring "great" and "brilliant" employee's. I see no future with that kind of organizational thinking.
That is the issue with technology and those in power who don't know how to use it. If a General or higher up is having an issue with classified data, it's not like he can just look at the error message and then go home for the day, he requires an IT team to help and maintain the systems.
A DBA can't do their job if they can't access the databases they manage/design/maintain.
I'm highly skeptical of the reporting. He may have impersonated other accounts to cover his tracks but if he had physical access to a system or the user database of a system then he was "authorized" to see all of the data on that system. Or they are doing IT security worse in that office than it is usually done.
I see two possibilities, though I am not that well-versed in the software used at the NSA:
1. Administrator accounts were not confined (in the SELinux sense), so he was able to transition to whatever security context he needed/wanted.
2. He was able to set up the login credentials for other users. He could have created his own accounts with higher-level clearances, or set up his own smartcard for logging in to some other person's account, etc.
It may seem like poor design, but it is understandable why things might have been set up like that. In the first case, it is because the admins need to be able to solve problems that happen in a variety of security contexts / levels, and the overhead of defining a second set of policies governing the admins was just too high. In the second, it would be because someone has to be able to set up credentials and that there are a lot of systems for which credentials must be set up, making it hard to impose restrictions. There is also the matter of audit logs -- it might not be so bad to allow an admin to transition to whatever security level if each transition is logged.
I suspect that much of the NSA's computer security is devoted to ensuring that people do not accidentally leak classified information, and that preventing insider attacks is done at a higher level (the clearance process, random audits, etc.).
Aren't these stories sort of the very definition of spin propaganda?
At least Snowden hasn't been locked away in a hole for three years only to be brought out into the public to tell everyone he's really thinks his a woman.
I think it might be a little more complex than that, but in essence, yes. In these types of environments you will have certificates (browser based or otherwise), he could have fabricated digital keys or stolen these from some type of key store, and then used them on his behalf.
> NSA Director Keith Alexander told the House Permanent Select Committee on Intelligence that Snowden fabricated digital keys that gave him access to areas way above his clearance as a low-level contractor and systems administrator. [1]
Brilliant people see through the propaganda that the government needs to feed its own employees. Brilliant people are harder to train to be a cog in the machine. The NSA needs people who are just intelligent enough to solve infrastructure / software / etc. problems, but not so smart that they start questioning the broader goals of the organization.
The army breaks down a soldier's individuality as part of a soldier's training. The NSA does not have that luxury (as far as I know), and Booz Allen Hamilton certainly does not.
Well, thank goodness only one "brilliant" person has ever snuck past the NSA's defenses. If two or more ever got in, they'd establish themselves as our hereditary emperors in no time.
IMO the solution is not keeping the top cryptographers, security experts, et al. out of the agency that is supposed to protect the country from the top cryptographers and security experts from other countries. Seems like a flawed idea right from the start. You just need to make sure the people you hire are actually on your side.
I disagree, the solution is more likely not doing anything morally questionable because the pool of talented people without morals is significantly shallower than the pool with, in my experience.
That may work in theory, but it's not always possible to know who's on your side. For an especially control-obsessed agency like the NSA that wants to know everything, this approach is completely unpalatable. Large institutions with sensitive information, whether public or private, generally don't know or trust their lower level employees (and a sysadmin is "lower level" in this context). They want solutions that prevent access by default. The NSA seems to have figured out that relying on sysadmins as a trusted party (a contracted trusted party, specifically) exposed a big hole in their ability to control things. It should have been obvious that contracting out a role that requires an extreme amount of trust was a bad idea, but large institutions often don't learn obvious lessons until someone makes them pay for their mistake.
I know I'll get downvoted for this. Please be a contributing community member of HN and state why.
Have any of the NSA leaks told us anything we don't know? Haven't the majority of the leaks told our foreign enemies how to avoid being tracked more than anything? I have yet to see any serious abuse of the NSA's power. The fact that they know that low level employees were spying on potential love interests means that they have a system in place to track such abuses. Leaking those kind of emails can be spun to state the opposite, when those emails are direct evidence that such abuses are tracked and presumably punished.
I've seen articles that have said "what if they use this power to subvert political dissidents" Well, what if they actually have checks built into this system as they have claimed and this new information proves? Such rumor spinning gets us nowhere as a society. Wouldn't that make Snowden a spy with his own self interests at heart, not the interests of the American people? Leaking piece-meal like he has is in his interests, not ours.
Look at the scope of these systems. The fact that no abuses have come up (locally) is quite telling, imho. When this same type of hardware is in the hands of countries like China, we see these abuses. Is China seeing something we don't and just not telling us? I highly doubt it.
>Have any of the NSA leaks told us anything we don't know? Haven't the majority of the leaks told our foreign enemies how to avoid being tracked more than anything?
Are the two mutually incompatible?
>The fact that they know that low level employees were spying on potential love interests means that they have a system in place to track such abuses.
The love interest thing wasn't part of a leak, was it? I thought they just voluntarily disclosed it, probably to distract from thoughts of domestic spying on e.g. politcal views, rather than petty tabloid personal stuff.
"Have any of the NSA leaks told us anything we don't know?"
Anything we i.e. the readership of HN / Slashdot / Reddit / etc. do not know? Of course not. That accounts for about 2% of the population of the United States. The rest of America is still trying to get past the "but I am not even interesting, why would the NSA spy on me?" stage of life.
"Haven't the majority of the leaks told our foreign enemies how to avoid being tracked more than anything?"
How is that coherent with your first sentence? If the leaks did not tell us anything we do not already know, surely they are not telling our enemies anything they do not already know.
The reality is that foreign governments already know that the US is trying to spy on them. Terrorists know that too. That is why foreign governments use cryptography and other information security techniques. That is why terrorists deliver notes by courier.
"what if they actually have checks built into this system as they have claimed"
...this is a story about a low-level sysadmin who walked out of the very same organization with an untold number of classified documents. What checks do you think are built in, exactly?
"they know that low level employees were spying on potential love interests"
I think your question has been settled: no, effective checks on the NSA's power are not in place. Obama could not care less about some low level guy's love interests. Of course, those pesky journalists pointing out the ways he has lied, abused Presidential authority, etc., that's another story...
> Have any of the NSA leaks told us anything we don't know?
Yes. Due to the fourth amendment (I'd recommend reading it), I'm definitely surprised at the scope of what has come to light. These actions directly contradict it, both in letter and spirit.
> I have yet to see any serious abuse of the NSA's power.
Please make a modest effort before making such statements.
1. The fact that the blanket spying exists at all is an abuse. It is a DUI checkpoint on every single road, every day, instead of pulling over swerving drivers.
2. Secret laws, courts = abuse. In America?
3. No oversight, congress un/misinformed = abuse!
4. The sympathetic fisc court itself has ruled many actions have been unconstitutional. Abuse!
5. That the leak we're talking about exists is an abuse!
6. If there have been admitted abuses, the number of non-disclosed must be far larger. Due to #5 we know they are quite possible.
7. Harassment of journalists, families, abuse.
In short, it is abusive from macro to micro. Betterunix's reply points out your multiple-contradictory statements.
[+] [-] stcredzero|12 years ago|reply
That would be like having secret documents in a drawer marked "John Smith," then saying that someone who opened that drawer and took some documents was "impersonating" John Smith.
Then there's the bit about "hiring brilliant people." What's so brilliant about someone with root access having access to everything? Nothing. That's what root access enables. It's not a case of Snowden's brilliance. It's a case of the NSA's administrative incompetence: there should be auditing in place.
EDIT: So there was RBAC in place. Evidently, the implementation was botched. Amounts to the same thing: "security theater." This actually bolsters Snowden's case that whistleblowing was justified.
[+] [-] rhizome|12 years ago|reply
This has been a buried lede since the beginning: under the Common Criteria, what EAL was supposed to be in place for his role?
[+] [-] AsymetricCom|12 years ago|reply
[+] [-] sczkid|12 years ago|reply
[+] [-] jrs235|12 years ago|reply
[+] [-] defen|12 years ago|reply
[+] [-] john_b|12 years ago|reply
[+] [-] randallu|12 years ago|reply
[+] [-] avelis|12 years ago|reply
[+] [-] walshemj|12 years ago|reply
[+] [-] Ellipsis753|12 years ago|reply
[+] [-] theg2|12 years ago|reply
A DBA can't do their job if they can't access the databases they manage/design/maintain.
[+] [-] pilom|12 years ago|reply
[+] [-] betterunix|12 years ago|reply
1. Administrator accounts were not confined (in the SELinux sense), so he was able to transition to whatever security context he needed/wanted.
2. He was able to set up the login credentials for other users. He could have created his own accounts with higher-level clearances, or set up his own smartcard for logging in to some other person's account, etc.
It may seem like poor design, but it is understandable why things might have been set up like that. In the first case, it is because the admins need to be able to solve problems that happen in a variety of security contexts / levels, and the overhead of defining a second set of policies governing the admins was just too high. In the second, it would be because someone has to be able to set up credentials and that there are a lot of systems for which credentials must be set up, making it hard to impose restrictions. There is also the matter of audit logs -- it might not be so bad to allow an admin to transition to whatever security level if each transition is logged.
I suspect that much of the NSA's computer security is devoted to ensuring that people do not accidentally leak classified information, and that preventing insider attacks is done at a higher level (the clearance process, random audits, etc.).
[+] [-] pothibo|12 years ago|reply
[+] [-] danielharan|12 years ago|reply
[+] [-] clueless123|12 years ago|reply
[+] [-] ChikkaChiChi|12 years ago|reply
At least Snowden hasn't been locked away in a hole for three years only to be brought out into the public to tell everyone he's really thinks his a woman.
[+] [-] kleiba|12 years ago|reply
[+] [-] WestCoastJustin|12 years ago|reply
> NSA Director Keith Alexander told the House Permanent Select Committee on Intelligence that Snowden fabricated digital keys that gave him access to areas way above his clearance as a low-level contractor and systems administrator. [1]
[1] http://www.businessinsider.com/edward-snowden-copied-a-lot-o...
[+] [-] betterunix|12 years ago|reply
http://linux.die.net/man/1/runcon
[+] [-] rhizome|12 years ago|reply
[+] [-] sliverstorm|12 years ago|reply
[+] [-] shortcj|12 years ago|reply
[+] [-] DamnYuppie|12 years ago|reply
[+] [-] pothibo|12 years ago|reply
>> "You hire smart people. Brilliant people get you in trouble.”
What does that even mean?
[+] [-] betterunix|12 years ago|reply
The army breaks down a soldier's individuality as part of a soldier's training. The NSA does not have that luxury (as far as I know), and Booz Allen Hamilton certainly does not.
[+] [-] kirksan|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] gojomo|12 years ago|reply
[+] [-] sliverstorm|12 years ago|reply
[+] [-] eliasmacpherson|12 years ago|reply
[+] [-] john_b|12 years ago|reply
[+] [-] AsymetricCom|12 years ago|reply
Have any of the NSA leaks told us anything we don't know? Haven't the majority of the leaks told our foreign enemies how to avoid being tracked more than anything? I have yet to see any serious abuse of the NSA's power. The fact that they know that low level employees were spying on potential love interests means that they have a system in place to track such abuses. Leaking those kind of emails can be spun to state the opposite, when those emails are direct evidence that such abuses are tracked and presumably punished.
I've seen articles that have said "what if they use this power to subvert political dissidents" Well, what if they actually have checks built into this system as they have claimed and this new information proves? Such rumor spinning gets us nowhere as a society. Wouldn't that make Snowden a spy with his own self interests at heart, not the interests of the American people? Leaking piece-meal like he has is in his interests, not ours.
http://en.wikipedia.org/wiki/2013_mass_surveillance_disclosu...
Look at the scope of these systems. The fact that no abuses have come up (locally) is quite telling, imho. When this same type of hardware is in the hands of countries like China, we see these abuses. Is China seeing something we don't and just not telling us? I highly doubt it.
[+] [-] cma|12 years ago|reply
Are the two mutually incompatible?
>The fact that they know that low level employees were spying on potential love interests means that they have a system in place to track such abuses.
The love interest thing wasn't part of a leak, was it? I thought they just voluntarily disclosed it, probably to distract from thoughts of domestic spying on e.g. politcal views, rather than petty tabloid personal stuff.
[+] [-] betterunix|12 years ago|reply
Anything we i.e. the readership of HN / Slashdot / Reddit / etc. do not know? Of course not. That accounts for about 2% of the population of the United States. The rest of America is still trying to get past the "but I am not even interesting, why would the NSA spy on me?" stage of life.
"Haven't the majority of the leaks told our foreign enemies how to avoid being tracked more than anything?"
How is that coherent with your first sentence? If the leaks did not tell us anything we do not already know, surely they are not telling our enemies anything they do not already know.
The reality is that foreign governments already know that the US is trying to spy on them. Terrorists know that too. That is why foreign governments use cryptography and other information security techniques. That is why terrorists deliver notes by courier.
"what if they actually have checks built into this system as they have claimed"
...this is a story about a low-level sysadmin who walked out of the very same organization with an untold number of classified documents. What checks do you think are built in, exactly?
"they know that low level employees were spying on potential love interests"
I think your question has been settled: no, effective checks on the NSA's power are not in place. Obama could not care less about some low level guy's love interests. Of course, those pesky journalists pointing out the ways he has lied, abused Presidential authority, etc., that's another story...
[+] [-] mixmastamyk|12 years ago|reply
Yes. Due to the fourth amendment (I'd recommend reading it), I'm definitely surprised at the scope of what has come to light. These actions directly contradict it, both in letter and spirit.
> I have yet to see any serious abuse of the NSA's power.
Please make a modest effort before making such statements.
1. The fact that the blanket spying exists at all is an abuse. It is a DUI checkpoint on every single road, every day, instead of pulling over swerving drivers.
2. Secret laws, courts = abuse. In America?
3. No oversight, congress un/misinformed = abuse!
4. The sympathetic fisc court itself has ruled many actions have been unconstitutional. Abuse!
5. That the leak we're talking about exists is an abuse!
6. If there have been admitted abuses, the number of non-disclosed must be far larger. Due to #5 we know they are quite possible.
7. Harassment of journalists, families, abuse.
In short, it is abusive from macro to micro. Betterunix's reply points out your multiple-contradictory statements.
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] jgg|12 years ago|reply
Also, it's spelled "asymmetric", Che.