Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Snowden Used Social Engineering To Get Classified Documents

Soulskill posted about 10 months ago | from the if-you-find-this-interesting,-please-enter-your-SSN dept.

Government 276

cold fjord sends this news from Reuters: "Edward Snowden used login credentials and passwords provided unwittingly by colleagues ... to access some of the classified material he leaked. ... A handful of agency employees who gave their login details to Snowden were identified, questioned and removed from their assignments. ... Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator. ... People familiar with efforts to assess the damage to U.S. intelligence caused by Snowden's leaks have said assessments are proceeding slowly because Snowden succeeded in obscuring some electronic traces of how he accessed NSA records. ... The revelation that Snowden got access to some of the material he leaked by using colleagues' passwords surfaced as the U.S. Senate Intelligence Committee approved a bill intended in part to tighten security over U.S. intelligence data. One provision of the bill would earmark a classified sum of money ... to help fund efforts by intelligence agencies to install new software designed to spot and track attempts to access or download secret materials without proper authorization.'"

cancel ×

276 comments

Sorry! There are no comments related to the filter you selected.

Snowden is a hero! (4, Insightful)

For a Free Internet (1594621) | about 10 months ago | (#45369667)

Lifting a little corner of the veil over the monstrous crimes of imperialism! Only a workers revolution will put an end to imperialist barbarism!

Re:Snowden is a hero! (5, Funny)

Anonymous Coward | about 10 months ago | (#45369813)

I agree comrade! Snowden deserves to be recognized as a Hero of the Soviet Union [wikipedia.org] , but since those are no longer available a Hero of Russia [wikipedia.org] will have to do. Perhaps the FSB [wikipedia.org] nee KGB will someday announce his promotion! Glory to the workers of the Cheka for this achievement! We stand in solidarity with those that would smash capitalism and the bourgeois internet! Long live the dictatorship of the proletariat!

Fire them (4, Insightful)

sunderland56 (621843) | about 10 months ago | (#45369673)

Anyone working in the security field who gives up their password is an idiot, and should be fired.

Re:Fire them (2)

varmfskii (2910763) | about 10 months ago | (#45369709)

I totally agree. What kind of an idiot gives their passowrd to an administrator?

Re:Fire them (5, Funny)

Qzukk (229616) | about 10 months ago | (#45369761)

What kind of an idiot gives their passowrd to an administrator?

Not Terry Childs!

Re: Fire them (0)

Anonymous Coward | about 10 months ago | (#45369957)

terry had group vpn passwords

Re:Fire them (1)

Anonymous Coward | about 10 months ago | (#45369773)

I know right. It's not like a System admin can change or reset a password to gain access to the same document.

Re:Fire them (1)

Anonymous Coward | about 10 months ago | (#45369923)

I suspect the admins can't actually change passwords and can only apply a reset. I assume when they perform a reset they don't have access to the new password either.

Re:Fire them (5, Informative)

TheCarp (96830) | about 10 months ago | (#45369927)

What org was it that wrote the SELinux extentions? Oh right the NSA.

I took an SELinux class a while back, it is not necessarily the case that this is true. Its true in all my environments, but, I have never seen any environment where SELinux was actually used.

The default policy on most distros the "Targeted" policy is pretty light weight. Its the horror movie equivalent of scream. Fully locked down SELinux is more like....faces of death.

It is entirely possible to have a system administrator who does NOT have that kind of access under the NSAs mandatory access control model. That doesn't mean they have it implemented that way, but, it is possible that they could, the tools exist; and they wrote them.

Re:Fire them (3, Informative)

eric_herm (1231134) | about 10 months ago | (#45370305)

You can fully divide the admin task with selinux like having 1 admin who can disable selinux ( or rather "update the policy" ), and having another doing operational stuff ( like logging as root ). So technically, the first one can disable protection for the 2nd one, but cannot do much by itself. And with protected physical access, you can pretty much have a rather locked down system. Not protected against 2 rogue admins, of course, but being protected against 1 is already better than most systems.

And regarding environment where SELinux is used ( besides targeted ), you can take a look at the openshift service from RH, they do use it a lot to separate users. But you are right that for most people, using more than targeted policy is a bit overkill, since people do not care that much about security ( and when they do care enough to not disable selinux, firewall and everything that make stuff so hard ).

Re:Fire them (1)

Doug Otto (2821601) | about 10 months ago | (#45370321)

I have never seen any environment where SELinux was actually used.

I have. It was a PITA. Shit would just "not work" and you'd have to dig through audit logs to find why. Most of the time it was some undocumented interaction with some other file or interface. Do not like!!!

Re:Fire them (5, Informative)

s.petry (762400) | about 10 months ago | (#45370365)

I have never seen any environment where SELinux was actually used.

I worked in DOD for more than a decade, we used SE Linux from the time it was available. Before that, we used LAUS. If you don't use it or know people that do, why are you going to make false claims like "Fully locked down SELinux is more like....faces of death."? If you never used it, you obviously should not be making bogus claims. Fully locked down and properly configured SELinux is a nightmare for auditors, not admins.

It is entirely possible to have a system administrator who does NOT have that kind of access under the NSAs mandatory access control model. That doesn't mean they have it implemented that way, but, it is possible that they could, the tools exist; and they wrote them.

No offense, but your second sentence contradicts your first claim. Is it not more likely that where he was working they were not using a properly configured access control system? System being architecture, implementation, and auditing to ensure people don't break things.

Probably because I have lived the life, I can speak first hand to knowing that not all DOD places were the same. I happened to build and design the first classified networked systems off of a military base (yeah yeah, big whoop wanna fight about it?). My primary responsibility was building and designing these systems, writing tools for the auditors, and writing tools to ensure everything worked all the time. At the same time, I spoke often with agents that had other customers that did nothing, or, used good old fashioned someone watching a person at a single terminal and writing things down manually. (no SELinux, no tools, no automation).

By Snowden's own claims he had access to things he should not. That to me indicates that the contractor he was working for had no real security in place. Anything I can bypass by killing syslogd or removing history is not "real", sorry. SELinux is the answer, but it's time consuming to get right and takes a dedicated regular staff of good auditors and admins to maintain. If you cut corners to save money and lack the proper staff, of course people can do things you don't know about. If you are doing illegal things that your staff questions, you just fucked yourself no matter how much staff you have.

Re:Fire them (1)

mt1955 (698912) | about 10 months ago | (#45370257)

I totally agree. What kind of an idiot gives their passowrd to an administrator?

Victims of the BOFH [ntk.net]

Re: Fire them (0)

Anonymous Coward | about 10 months ago | (#45370341)

I think you mean what kind of idiot who's working for the frigging NSA, gave their password to Snowdon.

owden

Re:Fire them (1)

ultranova (717540) | about 10 months ago | (#45370683)

What kind of an idiot gives their passowrd to an administrator?

An authoritarian - someone who breaks laws, rules and regulations if a perceived authority figure tells them to.

Now, what kind of person is someone hiding NSAs dirty laundry likely to be?

Re:Fire them (2)

Presto Vivace (882157) | about 10 months ago | (#45369851)

We have not heard Snowden's version of events.

Re:Fire them (1)

Anonymous Coward | about 10 months ago | (#45369989)

Does it matter?

Knowing what NSA one can even argue that it would have been justified to murder someone to get the data out.

This is just one of cold fjords lame attempt at character assassination and the only thing he have accomplished with it is to show how incompetent the people at NSA are when it comes to handling confidential data.
Not only should they not spy on the population, they can't even be trusted with the data they have illegally acquired.

Re:Fire them (0)

Anonymous Coward | about 10 months ago | (#45370057)

So you're saying that revealing what Snowden has done is character assassination? Isn't that an indictment of Snowden?

Re:Fire them (4, Insightful)

somersault (912633) | about 10 months ago | (#45370099)

Yep. There is literally no other way of stopping this kind of secret government behaviour than kicking up a massive shitstorm before it gets too out of hand. Boohoo, the guy did something illegal while outing you for all your illegal and immoral bullshit. Everyone else in the world would give him a medal, but the government (apparently) think that pointing out that he stole some passwords will make us hate him?

Re:Fire them (1)

eric_herm (1231134) | about 10 months ago | (#45370355)

I see more someone saying "OMG NSA is so stupid" rather than someone trying to tarnish Snowden reputation.

Re:Fire them (2, Funny)

marcello_dl (667940) | about 10 months ago | (#45370423)

> ... he stole some passwords ...

and he didn't even do that, he merely copied them. This intellectual property debate is going out of hand!

Re:Fire them (0)

Anonymous Coward | about 10 months ago | (#45370081)

you're not implying that the NSA would misrepresent the truth are you??

Re:Fire them (1)

Anonymous Coward | about 10 months ago | (#45370105)

He probably just read the passwords from the post-it attached to his co-workers screens ...

Re:Fire them (3, Informative)

cffrost (885375) | about 10 months ago | (#45370661)

We have not heard Snowden's version of events.

We haven't really heard anyone's version of any alleged events; RTFA — the sources for this piece are literally referred to as "sources."

If this is a propagandist's attempt at a smear-piece, it's bad one. If the claims in this article are true, it's a greater indictment against NSA's security policies than it is against anything Snowden has done. What I see is NSA's propaganda/media relations contractor grasping at straws here.

Re:Fire them (3, Interesting)

g01d4 (888748) | about 10 months ago | (#45370025)

An admin requesting your password raises flags, but it's possible many provided it because they didn't want to argue. That being said, you'd think at least one of the 20+ would have gone to their local security person as a follow up.

Re:Fire them (1)

mjwalshe (1680392) | about 10 months ago | (#45370247)

yeah i woudl have been in our security officers office raising 7 kinds of hell.

Re:Fire them (2)

Doug Otto (2821601) | about 10 months ago | (#45370379)

I do our new hire IT Security training and those are exactly the instructions I give.

Do not give anyone your password, for any reason.

If you feel your job is in jeopardy because of the person asking, comply with the request but immediately contact myself or HR

Re:Fire them (0)

Anonymous Coward | about 10 months ago | (#45370645)

Highly unlikely that Snowden solicited the accounts. If there's anything that's "theoretically against policy but happens every day", it's a task/project getting late, and some higher-up manager telling subordinates "Just give Department X whatever they need to get this done quickly".

Much more likely than Snowden soliciting the passwords (which would obviously tend to look pretty suspicious well before 20 people), is people systematically pushed passwords on him over time with the mandate "Now get it done now" on various tasks..

20+ years in the industry, and a smell-test of the official story, tells me this is what happened, and this is just more scapegoating of Snowden and CYA on the part of the NSA.

Re:Fire them (0)

Anonymous Coward | about 10 months ago | (#45370061)

Anyone working in the security field who gives up their password is an idiot, and should be fired.

To quote an IC employee: "Intelligence is what we produce, not a job requirement."

Re:Fire them (1)

mjwalshe (1680392) | about 10 months ago | (#45370225)

And these people had ts security clearance - looks like a basic IQ test might be better than a polygraph and requiring at least a security+ certification to even get an interview.

Some one senior at both the NSA and Booz Allen needs to be fired over this if you did this at any uk bank you woudl get canned on the spot certainly the CEO and Chairman of the contractor needs to fall on their sword.

Re:Fire them (1)

Strawser (22927) | about 10 months ago | (#45370619)

Anyone working in the security field who gives up their password is an idiot, and should be fired.

There should have been extremely clear training on that. This is the fault of the people who were managing the staff. If it were one, maybe even two people, sure. But when 25 people don't know that you're not supposed to give your creds to anyone, including an admin, that's bad management.

Re:Fire them (1)

WillAffleckUW (858324) | about 10 months ago | (#45370629)

Anyone working in the security field who gives up their password is an idiot, and should be fired.

Agreed. Like that guy in San Francisco - some hacker tried to pretend to be his boss to get the passwords to the networks and he said
"Only FTF, buddy".

You can't trust anyone.

FTF ftw!

Sucks to Have Worked with Snowden... (5, Interesting)

DexterIsADog (2954149) | about 10 months ago | (#45369685)

...though his revelations of the intelligence gathering practices of the NSA are a gift that just keeps on giving.

Funny that the people he duped to obtain some of the information are being relieved of their jobs (though not their lives, presumably), but the people participating in the overreach won't suffer any consequences.

Re:Sucks to Have Worked with Snowden... (0)

Anonymous Coward | about 10 months ago | (#45370067)

...though his revelations of the intelligence gathering practices of the NSA are a gift that just keeps on giving.

Funny that the people he duped to obtain some of the information are being relieved of their jobs (though not their lives, presumably), but the people participating in the overreach won't suffer any consequences.

If it happened the other way, it would just leave a feckless and incompetent organization.

Re:Sucks to Have Worked with Snowden... (3, Interesting)

MrEricSir (398214) | about 10 months ago | (#45370153)

Funny that the people he duped to obtain some of the information are being relieved of their jobs (though not their lives, presumably), but the people participating in the overreach won't suffer any consequences.

The real question is how many other times these same NSA morons were duped by our country's actual enemies. Only a fool would believe Snowden was the first to come across all of this information.

Re:Sucks to Have Worked with Snowden... (1)

Anonymous Coward | about 10 months ago | (#45370177)

They all work for the same goal. They're all on the same team. Sure, the elite at the top deserve the worst, but I'll be damned if I shed a tear for anyone below them -- just as I'll be damned if I shed a tear for the soldiers who are "just following orders" to wreak havoc (meaning death and destruction) in the middle east.

They all have brains. They all ultimately make their own choices, no matter how much external pressure is put on them.

Re:Sucks to Have Worked with Snowden... (3, Insightful)

gstoddart (321705) | about 10 months ago | (#45370267)

Funny that the people he duped to obtain some of the information are being relieved of their jobs

Not funny, but arguably well deserved.

If your job is to work with sensitive data which has extremely limited access, providing someone with your password is an epic lapse in judgement, or a downright lack of understanding of basic security protocol.

If the NSA doesn't have a training course which loudly tells you to never give your passwords to anyone, they're idiots. If you didn't listen to that training and do give your password, then you have no business safeguarding sensitive data.

but the people participating in the overreach won't suffer any consequences.

Two different things, really. In their minds, the surveillance was legal and authorized (which, from their perspective is probably technically true). But completely failing to adhere to security policy means that you can't really be trusted.

I should think if you fall for social engineering at the NSA, you've completed a huge faux pas and demonstrated you might be the weakest link.

Hell, most companies routinely do phishing tests and the like, and failing that will get you onto the remedial information security policy -- and repeated lapses might lose you your job. I get fake phishing emails from our security department all the time -- and everyone I report right back to them and get told "congratulations, you did what we hoped you would".

I work in the private sector, and I take security very seriously. I'm often the one making the most noise about security, to the point that I preface many things with "look, I know I say this a lot, but ...". How someone in the NSA could be so stupid as to do this boggles the mind.

Re:Sucks to Have Worked with Snowden... (0)

elfprince13 (1521333) | about 10 months ago | (#45370409)

"Sucks to work with Snowden"? More like "sucks to have been born without a brain". I mean, seriously, how contemptibly stupid do you have to be to work for a security agency and not have learned that you don't share your password with anyone.

More reason to oppose their data collection (3, Insightful)

compro01 (777531) | about 10 months ago | (#45369687)

Not only does the NSA have your data, probably any other organization interested in it is able to obtain it from them.

Classified sum of money . . . (1)

Mitchell314 (1576581) | about 10 months ago | (#45369701)

How is a sum of money classified in a budget? "Hey, out of our $30,000,000 budget for projects A, B, and C, we spent $10,000,000 on A, $5,000,000 on B, and a classified amount on item C."

Re:Classified sum of money . . . (1)

mythosaz (572040) | about 10 months ago | (#45369739)

It's more like we had $30,000,000 for a number of classified projects, of which we broke it down into X1 through Xn.

Re:Classified sum of money . . . (1)

Mitchell314 (1576581) | about 10 months ago | (#45369787)

I guess that makes sense.

Re:Classified sum of money . . . (0)

Anonymous Coward | about 10 months ago | (#45370213)

Yes. That's one of three ways. The other two involve an order of many $435 hammers (of which $1 is the hammer, but $434 * sizeof(hammers_order) is being diverted into secret accounts) or the CIA selling cocaine/arms to raise money that goes to some nefarious and/or patriotic purpose about which you, citizen, don't have a need to know.

it's called black ops. . (1)

swschrad (312009) | about 10 months ago | (#45369877)

there are undisclosed sums in bills out of Congress all the time when it comes to security. the way it works is, there is a backroom deal between the chairman and the agency, and Treasury is told there is authorization for $???,???,???.?? for account XYZ.

committee chairmen are in on a ton of secrets, and go along with a bunch more on the order of "I need this sum (flashes paper quickly and back in the pocket) on authorization of the President for national security purposes." the rest of the committee trusts the chairman on this, and Congress has a little routine in which they all ignore these things. anybody with a problem can ask the chairman WTF this is about, and probably get the answer, "got a problem, can't tell you, they won't tell me, but it's urgent."

not everything is public. just ask your regional VP about what's critical for next July...

Re:Classified sum of money . . . (0)

Anonymous Coward | about 10 months ago | (#45370231)

The budget is $30,000,000 budget, but the spend amount classified, it could be 1000x more or less than that.
They have a 50 billion "unaccounted" pile, and having rootkits in all major banks solves a lot of money problems too.
(Because banks can spend 40x the amount that they own, I don't expect there balances to actually balance anyway.)

Re:Classified sum of money . . . (1)

Hatta (162192) | about 10 months ago | (#45370491)

$500 hammers.

Tax dollars at work (0)

Anonymous Coward | about 10 months ago | (#45369733)

Isn't the NSA the one damned place where these kinds of things should be part of the training?

NSA: We need more Money!! (1)

Anonymous Coward | about 10 months ago | (#45369737)

Sadly, the only real change that will likely come out of all of this is a doubling of NSA's budget "to make sure this never happens again".

Re:NSA: We need more Money!! (1)

some old guy (674482) | about 10 months ago | (#45369953)

Beat me to it. There is no government program more money can't fix, right?

Perfectly true testimony! (0)

Anonymous Coward | about 10 months ago | (#45369747)

No one is lying.

Honest!

They will never learn (2)

WillRobinson (159226) | about 10 months ago | (#45369755)

There are no secrets.. They eventually get out.

What I am curious about, is with all this data they are sifting how come there is nobody from Washington in Jail? You know they are
mostly self serving scumbags.

What bothers me more about all this data, and is never mentioned, is that it is possible now for people who have access to all this
big data, to profit from it on the stock market very easily.

Re:They will never learn (0)

Anonymous Coward | about 10 months ago | (#45370603)

There are no secrets.. They eventually get out.

Who killed Lincoln? Who killed JFK? Who planned 9/11?

Tip: money makes truths.

Re:They will never learn (1)

WillAffleckUW (858324) | about 10 months ago | (#45370667)

There are no secrets.. They eventually get out.

Who killed Lincoln? Who killed JFK? Who planned 9/11?

Tip: money makes truths.

Lincoln? The guy my great-grand-uncle rented the horses to escape afterwards to. His name was Booth, a reputable actor at the time.

JFK? I'm sorry, but you're not cleared to know that. Let's just say Germans do very good work.

9-11? He's at the bottom of the ocean. Having Pakistan as your buddies won't save you from us.

This just in... (1)

mythosaz (572040) | about 10 months ago | (#45369759)

....the guy who installs your logging software has a good chance of subverting it.

This is a training problem. (4, Insightful)

Remus Shepherd (32833) | about 10 months ago | (#45369769)

In other news, there are a lot of stupid employees at the NSA regional operations center in Hawaii.

If the NSA had trained its employees competently, they wouldn't be so naive as to give their login passwords to anyone, even an admin.

Re:This is a training problem. (1)

Dan667 (564390) | about 10 months ago | (#45369939)

if the nsa did not have such overreaching programs to spy on people they shouldn't be then they would also have a lot less problems. Instead of curtaining nsa programs they will just plow on do some hand waving that everything is ok.

Re:This is a training problem. (0)

Anonymous Coward | about 10 months ago | (#45370087)

Generally you don't give your password to anyone, but it's not uncommon to need to type your password in in front of an administrator, sometimes several times in a row (e.g. if you need their help to upgrade your computer). It would not be difficult for someone in such a position to obtain the password, either by shoulder surfing, using a camera, or using a simple script which generates a password prompt and then saves the password to a file or emails it to the admin.

Re:This is a training problem. (1)

Sarten-X (1102295) | about 10 months ago | (#45370339)

In other news, there are a lot of stupid employees at every office for every company everywhere.

Everybody can be fooled, and in a "secure" environment where everybody has gone through a vetting process already, it's actually easier. Imagine you work on the latest top-secret missile project. While out grocery shopping one day, someone comes up and starts asking you detailed questions about work. Of course, that will raise a few flags. Now suppose you're sitting at your desk at work, and a coworker from down the hall, who you've seen around a few times, says that he can't get into the document control system and asks that you try it real quick. How likely are you to consider that he'll be watching your keyboard?

Re:This is a training problem. (0)

Anonymous Coward | about 10 months ago | (#45370377)

People are overworked and in an effort to save time they break protocol.We all do it but it's just some of us are a little more concerned with the ones we break.

Re:This is a training problem. (1)

fermion (181285) | about 10 months ago | (#45370431)

A handful of agency employees who gave their login details to Snowden were identified, questioned and removed from their assignments.

No, it is a consequences problems. Snowden has been charged with espionage, which can put a capital punishment situation on the table. If these guys aided and abetted, they should be charged as an accessory, not moved to a new assignment. If the NSA were interested in security, and not just optics, this is what they would do.

All too often officials are just interested in protecting the pensions and benefits of everyone involved, not solving problems. For instance is was recently reported that the militiary, in this case the Navy, is once again in the middle of scandal where millions of dollars of taxpayers money was stolen by a foreign interest. In this case, a few officers traded state secrets for hookers and travel and money. Given that the military has previously promised to clamp down on such behavior, we should expect a maximal charge against officers who aided a foreign agent to defraud the American taxpayer. Something like stripping rank and benefits, what used to be done to gay folks, as well as a life sentence might keep others from doing the same thing. We will see if they do so.

Not shocked (5, Insightful)

TheCarp (96830) | about 10 months ago | (#45369777)

As someone who has been a sysadmin for years, I can say, unequivocally, I never ask people for their passwords. If I need access to your account, I can have it. If I really need to do an end to end test, I can probably do it by swapping out your password hash and then restoring it so I never need your password. If that can't be done, i will change it and then reset it so you have to change it again.

Yet... despite this... from time to time people just.... send me their passwords.

"Account X on machine Y with password Z can't login, can you check it?"

So no shock at all here.

Re:Not shocked (1)

Idbar (1034346) | about 10 months ago | (#45369859)

What? You mean you haven't gotten to a desktop computer with the password written on a post-it affixed to the monitor? I think you're among the lucky ones!

Re:Not shocked (2, Funny)

Anonymous Coward | about 10 months ago | (#45370115)

This is the NSA we're talking about - the elite security professionals. They know better than to stick a post-it with their password onto their monitor.

They stick the post-it under their keyboard.

Re:Not shocked (1)

TheCarp (96830) | about 10 months ago | (#45370135)

sure I have, but not since I was doing desktop support.

Actually my favorite wasn't those. It was the post-it notes where someone had my direct phone line on it. They were not supposed to be calling me directly but the tech I replaced had been pretty loose with it.... a few times I waited till the user wasn't looking and then shoved the post-it with my number on it in my pocket :)

Of course, back then, the user password was a 5 character upper case alphanumeric string, generated by an internal system, which couldn't be changed; so it was kind of a joke anyway.

Re:Not shocked (2)

timeOday (582209) | about 10 months ago | (#45369909)

What surprises me is that he felt safer asking than using some technical means (a logger) to achieve the same ends. They must have things somewhat buttoned down.

Re:Not shocked (1)

Xest (935314) | about 10 months ago | (#45369933)

The problem is that puerile see it as an IT thing. They don't see any aspect of IT security as part of their job so they just don't care. They just figure if they give you all the information then it's your problem to deal with and they can forget about it.

Until companies start enforcing and having meaningful penalties enforced upon them for such misdemeanors I don't see this changing.

Give a verbal warning, followed by a written warning followed by the sack. I'd wager 99% of employees never reach the sack after the seriousness of two formal warnings and learn their lessons. That other 1% shouldn't be near anything that requires security in the first place because they're the lowest common security denominator - the gaping hole in your security regime, and they're all it takes for it all to fall.

Re:Not shocked (0)

Anonymous Coward | about 10 months ago | (#45370263)

I too worked as a sysadmin in a spook house. Had access to everything under the sun. Never needed a password from anyone for anything. Moved hundreds of accounts, thousands of files. Never needed anything from anyone except to notify them when accounts needed to be suspended due to movement (moving data from drive to drive or machine to machine).

Yeah! (1)

no-body (127863) | about 10 months ago | (#45369823)

"would earmark a classified sum of money" .... again this classified BS - what do they have to hide? The crap tax-$$'s burnt on all this pipe dream?

This whole pandora box gets never cleaned out. Needs the method how the gordian knot was solved...

Re:Yeah! (1)

Antipater (2053064) | about 10 months ago | (#45369875)

Needs the method how the gordian knot was solved

Let the Greeks do it for us?

Re:Yeah! (1)

Anonymous Coward | about 10 months ago | (#45370277)

Needs the method how the gordian knot was solved

Let the Greeks do it for us?

Subcontract it out to the lowest bidder, who will in turn do a complete hack job. Classic.

Ahhhhh (0)

Anonymous Coward | about 10 months ago | (#45369865)

Snowden used whatever the CIA told him to use to get the smack down on the NSA. Wake the fuck up. People now a days will see a tree in front of them plain as day, the media will call it a elephant and instantly it's a elephant. What about all the info he gave that the media that the media didn't publish because they were asked not to? Fuck it, skip right over that jem!!!!

Actually, that's not what happened. (1)

BobMcD (601576) | about 10 months ago | (#45369867)

If you'd like to know what really happened, post your slashdot username and password in a reply, and I'll let you in on the secret...

Re:Actually, that's not what happened. (0)

Anonymous Coward | about 10 months ago | (#45369969)

u: CmdrTaco

p: soluskillisadork

Thanks!

Re:Actually, that's not what happened. (1)

Sarten-X (1102295) | about 10 months ago | (#45370107)

My Slashdot username is Sarten-X.

My password is Glernhab75.

That's not actually the password for my Slashdot account, but your instructions weren't clear enough on that matter.

Re:Actually, that's not what happened. (0)

Anonymous Coward | about 10 months ago | (#45370187)

u:Anonymous Coward
p:CmdrTaco

believeable? (0)

Anonymous Coward | about 10 months ago | (#45369907)

Or are these revelations another piece of propaganda?

Login names and Passwords!! (0)

Anonymous Coward | about 10 months ago | (#45369949)

Its the year 2013 and the NSA is still using Login/Password? I would think the NSA would be using better tech to keep its documents safe and secure instead of having methods of access that could be found by looking over someone shoulder as they type. OH LOOK, I have top level access..... with your username and password. Seems to me the persons that should be taking the "blame" with this is not Snowden but the IT security professionals that claim to management that the data is all secure

Perchance to dream (2)

Nov8tr (2007392) | about 10 months ago | (#45369951)

Ahh Power is fleeting. It is but a illusion. And secrets are but a dream. Maybe if the NSA spent more time worrying about what they do than about what other people do they wouldn't be in the mess they are. They are so concerned about the toothpick in someone else's eye that they can't see the beam stuck in theirs.

Who would have suspected? (4, Funny)

nbauman (624611) | about 10 months ago | (#45369963)

Why shouldn't they trust him? He was polygraphed.

FTA:

"In the classified world, there is a sharp distinction between insiders and outsiders. If you've been cleared and especially if you've been polygraphed, you're an insider and you are presumed to be trustworthy," said Steven Aftergood, a secrecy expert with the Federation of American Scientists.

http://www.reuters.com/article/2013/11/08/net-us-usa-security-snowden-idUSBRE9A703020131108 [reuters.com]

Re:Who would have suspected? (1)

bledri (1283728) | about 10 months ago | (#45370543)

He was polygraphed? That's nothing. I was Etch A Sketched!

Re:Who would have suspected? (1)

rk (6314) | about 10 months ago | (#45370581)

Which is stupid, because polygraphs are pretty much theater and have very little scientific support. Even in someone untrained in beating them, they are far from perfect. If you know a few countermeasures they are worse than useless. Anyone who bases their measure of trustworthiness on the polygraph has not a single clue what trustworthiness is, and frankly deserve to get burned time and time again for it until they get a clue.

Complete lack of controls? (1)

gstoddart (321705) | about 10 months ago | (#45369975)

Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator

If people working with Top Secret/Classified information are so easily manipulated, you more or less have to conclude they had very few policies and controls in place.

This super-duper secret surveillance plan clearly wasn't relying on anything other than good manners to secure the information, and likely it was ripe for being abused by just about anybody there. How many of these people are looking up the information on their friends and family just because it's there?

If my admin came to me and said he needed my password, I'd laugh in his face.

Re:Complete lack of controls? (1)

SirGarlon (845873) | about 10 months ago | (#45370325)

This super-duper secret surveillance plan clearly wasn't relying on anything other than good manners to secure the information, and likely it was ripe for being abused by just about anybody there.

That's not a bug. It's a feature. It allows the agency to ignore its already-flimsy privacy protections, at any time, for any reason.

Snowden releases X info that was in Patriot Act (1, Insightful)

globaljustin (574257) | about 10 months ago | (#45369983)

I'm getting really sick of this shit over and over....

We've finally concluded that Snowden is no hero, by some a traitor, for others a dupe...and we're over it...

The media fucked up reporting this **from day 1**

We knew this in **2006** NSA has massive database of Americans' phone calls [usatoday.com]

yet there was no public outcry...

then the big one...PATRIOT ACT

full text of the Patriot Act has been reported on and available to anyone with an internet connection or library card since 2001...

I'm sick of Snowden's puppet masters having free reign of the news...we need smarter editors!

If the story is true (1, Insightful)

Xaedalus (1192463) | about 10 months ago | (#45369999)

And there's some reason to believe that there isn't--then Snowden purposely used social engineering to fool colleagues into giving him their passwords. Do the ends justify the means? He's exposed the NSA's domestic spying, but now the wave's continuing onward and we're getting our normal espionage practices exposed. Are we allowed to ask if doing so does indeed put us more at the mercy of Russia, China, their actors, and Al Qaeda? At what point does this process stop? At what point does the good that was done become overshadowed by the potential harm?

Re:If the story is true (-1, Troll)

GodfatherofSoul (174979) | about 10 months ago | (#45370151)

That point was about 6 months ago. On Slashdot, where there's a pretty vocal community who thinks Bluray ISOs of the latest Hollywood releases "want to be free," any secret data reveal is presumed to be some kind of a public service. Snowden long ago exposed himself as just a guy interested in finding as much as he could find about government secrets, then indiscriminately dumping that information on the press. He's not whistleblower, he's not an activist, he's not an ideologue. He's just some kid who found daddy's car keys and took the Corvette for a spin. If it wasn't obvious before, it should be now that he had absolutely no game plan besides "look at what I got my hands on, cool!' That doesn't absolve intelligence agencies of responsibility, especially since he was relieved of duties under the CIA before getting his contracting job under the NSA.

He'll continue to be cheered on by a certain demographic of IT guys who idolize hacker culture because of *scope* of his infiltration, and not the benefit he's provided the country.

Re:If the story is true (1)

jader3rd (2222716) | about 10 months ago | (#45370279)

Do the ends justify the means?

When the means is social engineering? Yes. Edward Snowden isn't even a hot chick, how many NSA employee's have handed out their credentials to even less 'trustworthy' people?

Re:If the story is true (1)

Xaedalus (1192463) | about 10 months ago | (#45370335)

That is a very good point. I suppose I would be interested to know exactly how easy it would be to social-engineer the NSA from within, plus if it's been done before.

Don't believe it. (0)

Anonymous Coward | about 10 months ago | (#45370033)

I don't believe this and neither should anyone else. The claim is utterly unsubstantiated.

One of the many reasons I left security (0)

Anonymous Coward | about 10 months ago | (#45370123)

We were working on DLP (Data Leakage Prevention). IMHO, the whole premise was insane. My conclusion was this: You could spend massive $millions on this DLP system to counter the "insider threat", or you could simply stop being douches and hire good, trustworthy people. Would agencies and corporations ever consider such a thing these days? Of course not. Being a douche is in their DNA, and their cronies are getting the $millions for the DLP.

You ARE the weakest link! (0)

Anonymous Coward | about 10 months ago | (#45370145)

Well, specifically, people are.

I'm part of the security team for my company, we did a round of cross-app penetration testing, first thing I did was ask people for admin logins via e-mail

Every single team happily sent me logins for both test and production apps

To get the keys to the castle sometimes all you have to do is just ask the king :-/

Can you say slush fund (2)

DarkOx (621550) | about 10 months ago | (#45370171)

One provision of the bill would earmark a classified sum of money

Nothing like unaccountable monies in unknown quantity; that'll show'em. The NSA will never make such mistakes again after getting such harsh treatment.

New Software? (2)

rsmith84 (2540216) | about 10 months ago | (#45370215)

So they plan to waste millions on a project that will "install new software designed to spot and track attempts to access or download secret materials without proper authorization."? If he gets the credentials from users authorized to access the information how will this work? Swing and miss!

Regardless of whether Snowden was right or wrong (2)

idontgno (624372) | about 10 months ago | (#45370219)

I can safely predict one thing:

If you're a systems type working at any US national security TLA*, your job is going to get a whole lot harder. Maybe your whole life, since you're going to be under massively more suspicion and scrutinly ALL THE TIME. And the tools you need to do your job (not just software tools, but interactions and communications with those you're supporting) will be harder to use, and much more restricted, and viewed with more suspicion.

NSA may just wind up cutting itself off at its technical knees in a rampage of self-inspection and the internal purges I suspect are underway right now.

*TLA: Three-Letter Agency. By odd coincidence, most organs of the U.S. intelligence apparatus seem to name themselves by three-word names, and therefore are colloquially named by three-letter initialisms.

so..... (1)

fldsofglry (2754803) | about 10 months ago | (#45370241)

Are those who gave him the passwords going to be charged with treason?

And the rest of them.... (2)

Lumpy (12016) | about 10 months ago | (#45370307)

He just read off of the post it note in their cubicle...

This Thing Reeks (4, Interesting)

cffrost (885375) | about 10 months ago | (#45370313)

Excerpts from Reuters "article:"

(Reuters) - Former U.S. National Security Agency contractor Edward Snowden used login credentials and passwords provided unwittingly by colleagues at a spy base in Hawaii to access some of the classified material he leaked to the media, sources said.

Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator, a second source said.

While the U.S. government now believes it has a good idea of all the data to which Snowden could have accessed, investigators are not positive which and how much of that data Snowden actually downloaded, the sources said.

This garbage has the same quality sourcing as the hit-piece published by The New York Times and The New Yorker that spread unsubstantiated rumors claiming that Snowden had given classified documents (i.e., unpublished material) to Chinese and Russian officials.

What happened to CaC cards? (1)

christophla (809774) | about 10 months ago | (#45370317)

Most likely, every single one of those users were issued CaC cards (Common Access Cards). It amazes me that any government system still supports username and password authentication - especially intelligence based systems on the SIPRnet. Certificate/pin based authentication could have prevented much of this from happening...

Duped? (1)

Charliemopps (1157495) | about 10 months ago | (#45370605)

Who says he duped anyone? I do some sysadmin work and I've probably had just as many people over the past year send in support tickets like:
"HEPL!! My computers broke and I can't make it work! The red thingy is blinking! Numbers are due out tomorrow!!! My logins XXXXX and pass is ???? Employee # 123456 Please call me asap! @ 555-5555"
etc... etc... etc...
Next ticket is "You broke it even worse! Now my accounts locked!!!"
to which I reply "Yes, corporate security will be contacting you shortly about that. In the meantime, concerning your original problem I see that you haven't rebooted your computer in over 3 months and you've had a VPN open to your home the entire time. I suggest giving a reboot a try once your done talking to security about our security standards."

Obvious questions (0)

Anonymous Coward | about 10 months ago | (#45370659)

Anyone think a professional spy could do what Snowden did?
What percentage of NSA actually work for the FSB?
Think this could be a bigger problem than one individual who takes great care to not endanger NSA agents?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>