2013 November 07 Thursday
Why Could Edward Snowden Access So Many Documents?
Read this NY Times piece on the extensiveness of US National Security Agency eavesdropping.
What boggles my mind: why would a computer administrator contractor be able to get access to so many documents? How many individuals in the NSA had access to that many documents?
For example, is this at least intended to be treated as highly compartmentalized information in the NSA?
In Baghdad, T.A.O. collected messages left in draft form in email accounts maintained by leaders of the Islamic State of Iraq, a militant group. Under a program called Spinaltap, the division’s hackers identified 24 unique Internet Protocol addresses identifying computers used by the Lebanese militant group Hezbollah, making it possible to snatch Hezbollah messages from the flood of global communications sifted by the agency.
The NSA could have encrypted files and directories. So even if someone managed to read a directory the files would not have been readable. Why was Snowden able to get access to tens of thousands of files? Is the NSA really that lax internally? Does the NSA have foreign moles internally passing documents to China or Russia?
Also, how does Snowden morally square his decision to give journalists documents about how well the NSA spies on a terrorist group that killed a lot of people in Mumbai when it went on a killing rampage in a hotel there?
The N.S.A.-G.C.H.Q. wiki, a top secret group blog that Mr. Snowden downloaded, lists 14 specialists scattered in various stations assigned to Lashkar-e-Taiba, the Pakistani terrorist group that carried out the bloody attack on Mumbai in 2008, with titles including “Pakistan Access Pursuit Team” and “Techniques Discovery Branch.
Snowden seems naive. The NSA seems incompetent on internal computer security.
Update: No sooner did I ask if the NSA could be this incompetent that this story comes out from Reuters: Exclusive: Snowden persuaded other NSA workers to give up passwords - sources. Okay, about two dozen idiots gave Snowden their passwords. The mind boggles. Still, why did a couple dozen people in Hawaii have access to so much information? Also, does NSA seriously not drill into their employees strict rules about password handling?
By Randall Parker at 2013 November 07 07:26 PM
The breadth of Snowden's revelations suggests a program that many people, perhaps even NSA employees, aren't comfortable with and would be glad to undermine, prefeably without putting themselves at risk of jail time.
Snowden is not your typical spy, and PRISM is not your typical classified program. Snowden has pretty broad support from a lot of Americans both left and right.
"What boggles my mind: why would a computer administrator contractor be able to get access to so many documents?"
Maybe somebody at the top wanted him to.
The answers are actually pretty simple, and no, the NSA is far from incompetent on internal computer security. It's obsessed with Information Assurance. Let me put it this way, Snowden knew enough about the security system to know he'd get caught almost immediately and would have only a brief window of time in which to flee the country. Which is what he did.
It's kind of like asking 'How did the IT guy at the bank have access to so many bank account numbers, userids, and passwords?!' Um, because he has access to the server that contains the database that stores all the bank account numbers, userids, and passwords, etc. Even if they are encrypted data at rest, there has to be a way to decrypt for normal functions. For example, a customer service agent helping you with your account.
If an IT guy can find a way to download mass information off the servers to which he has access onto some removable media, and he slips it under his clothes, and he's make pre-arrangements to run like hell the moment he steps out the door, then he's got you good. Obviously there were controls designed to prevent and detect that.
He knew about those controls and found a slightly clever way of evading them just long enough to get the job done. That vulnerability has been fixed and no one will be able to do anything remotely like it again. A lot of Top Secret Information is in the form of short text documents that take up almost no space - we're talking a few K of data. Everyone is walking around with gigabytes of storage with internet connections that can transfer data megabytes in a second. If you can torrent a movie in minutes, the equivalent of a few encyclopedia is nothing at all. It didn't take him long.
By the way, this is a hint that the whole Snowden narrative is false and made up by him and Greenwald. There was no way he could have read even 0.01% of the documents he stole in the time he had. He just tried to scrape everything. It was the Guardian folks who started reading through it, looking for something 'hero-narrative-worthy' and told him, after the fact, the kind of story he should tell the public.
As far as passwords and social engineering, that was (I repeat: was) part of broken security culture at a contractor (not NSA personnel), where people were swapping credentials out of convenience to get the job done, and who weren't taking the fairly onerous protocols seriously. You can bet they're taking them seriously now.
I think there is an arrogance of trust within the Intelligence Community. If you're cleared, it's like being part of a clique, but a clique that trusts each other implicitly, even if you don't know the individual person. They have a badge and are working in this facility aren't they? I can easily see how NSA employees, who are constantly bombarded with briefings on Operational Security, would have no problem turning over their password to an IT person who is on their side of the door.
There is no need for a system in NSA in which enables an administrator can decrypt passwords.
I think the Reuters report that people gave Snowden their password seems quite plausible.
Your scenario seems plausible. Except... This is pretty much a repeat of Bradley Manning's Wikileaks performance. Same questions that Randall asks here are applicable to that earlier downloading incident. If these institutions were going to learn from basic security lapses, then they would have learned from basic security lapses.
Like Randal, I've assumed that the data treasures that Manning and Snowden released were long since shared with the PLA, FSB, Shin Bet, etc. For money or love, or both.