92 comments

[ 3.2 ms ] story [ 158 ms ] thread
I can believe that the information security is atrocious for folks unwilling or unable to adopt agency policies, but how stupid do you have to be to poke the head of the CIA in public?
Agreed. Also this in the post>The hacker contacted The Post last week to brag about his exploits, which include posting some of the stolen documents and a portion of Brennan’s contact list on Twitter.

Like seriously, it is like begging to be apprehended.

Once you've hacked the CIA it's probably easier to go public, so that you know the CIA probably won't just kill you.
But don't underestimate the power of teenage male bravado.
>But don't underestimate the power of teenage male bravado.

I guess you are right. I clicked the twitter name on the post and he has indeed posted the documents and is daring them. Just unreal.

I prefer Buffy's line: "acute testosterone poisoning."
Why do they keep referring to this guy as a "stoner"? What he smokes doesn't seem to be at all related to what he's done.
This is the New York Post we're dealing with. To play their own game, one can refer to the fear-mongering, Murdoch-owned paper as a "rag."
Because it's the New York Post; it makes for a good click-baity headline.
I am assuming based on this -He explained “CWA” stood for “Crackas With Attitude,” which he said referred to him and a classmate with whom he smokes pot.- The NY Post went for a dramatic title. But I could be wrong. The NY Post is known for such "wild titles" for attention.
I've sort of taken it as the NYP's attempt to shame the head of the CIA even further.
A bad reference to all these stories along the lines of "The Feds can't hire good hackers because they all have smoked weed" maybe?
It still has stoner in the URL. I was wondering the same thing. This is American journalism we are talking about, there are no standards anymore.
teen stoner and ladies man

gotta make it sound edgier

I'm less concerned about the hacker, and more concerned that the Director of the CIA not only has an aol.com email account but also uses that account to transmit sensitive information.

I'm not just saying this to be a jerk - this should be grounds for immediate termination of his employment. This is clearly a guy who shows poor judgement with respect to the management of sensitive material.

Also, from the article:

"[The] problem with these older-generation guys is that they don’t know anything about cybersecurity, and as you can see, it can be problematic.”

On the contrary - these "older-generation guys" cut their teeth in an environment where we were going head-to-head with the KGB on a daily basis. These guys have a solid understanding and awareness of basic information security procedures, as well as a strong understanding of adversary capabilities. I don't buy it.

It's plain negligence. Unfortunately, in this political climate it's not favorable to punish a high-ranking government official over mishandling their emails, even if said email is used to transmit sensitive information.
Why, whatever could you be referring to
I suppose he's referring to the Clinton's case.
Some part of me hopes it was part of a disinformation campaign in the form of expected-levels-of-incompetence-leads-to-"hacked"-account.

However, the fact its expected levels of incompetence :/

The key point for me is even if we assume that security blunders like this or say keeping a private email server are ignorance rather than malice ignorance is unacceptable at this level of government. Where's the security officer at advising these officials and helping them do it right? That has to be someone's job right?
That someone also is replaced if he gets on the nerves of the guy he is advising to much, at least on this level. Parallel advising/control structures only work if they have someone higher up they can fall back on if necessary.
You've got me there. Ultimately being secure is Brennan's responsibility.

Maybe we need a secret service for tech that's outside the command structure of these agencies.

You want to fire Brennan? I heard the last guy that had dirt on Brennan...ended up having his car blow up. Michael Hastings ring a bell?
Ultimately, this is the same as when the CEO tells me he's disabled anti-virus protection because the popups annoyed him, or that he's using a personal Dropbox account so he doesn't have to go through that pesky login process onto the network drive.

My guess is that to many people in power, the benefits of using these web services seem to outweigh the disadvantages because they just don't understand the disadvantages. "It's OK - I set a great password!" There's simply nobody powerful enough to monitor what they're doing, independent enough to want to do something about it, and respected enough for people to listen.

We need independent bodies that act as national 'IT departments' and can refuse requests from the very highest powers, in much the same way that any other Head of IT can fire someone for gross misconduct because they were downloading torrents on their company laptop.

You make a totally fair point, but I think it's also a fair criticism of the state of proper computer security that plenty of people opt-out as a result of the inconveniences. Someone will solve this someday and make a lot of money, but I have no idea what the solution is.
The US Federal system was designed to have checks and balances provided by oversight by different branches of government.

Unfortunately today we have people in these branches of government who either won't do their duty because they are terrible at their jobs or because there is a silent quid-pro-quo where these sorts of people look the other way for each other.

While you're absolutely right in your diagnosis of the problem in the US, I doubt these problems are specific to the US government. I'm a Brit, and there are enough stories of technical incompetence here to make me assume it's a global problem. I suspect even non-democracies have the same issue. Who's going to tell Kim Jong-un he needs to rotate passwords?
Thanks for your thoughtful response, not sure what I said that rated downvoting on my comment but apparently members of the CIA and Congressional oversight committee are members of hn ;)
I would flip that around: Make zero-knowledge systems and strong encryption routine in consumer internet products and services. Then you could use your yahoo or AOL mail for anything and there would be no bad consequences. Seems more reliable than trying to enforce the use of some crappy system made by a beltway bandit that is hard to use and inconvenient.
Except email and pcs that we have in their current form today weren't around in the 60s and 70s when these older guys cut their chops
Oh dont worry - he was probably only emailing with Hillary and as we know, she would regularly wipe her mail server with a cloth to ensure it was secure.
I'm a bit suspicious of this story. Apparently his top secret security clearance application is in his AOL account, but he's been in the CIA for 25 years so that seems odd (unless his AOL account is very old).
I guess if this happened to some common employee, he would be fired eventually. But Director of the CIA is a political position. So, it's much harder to fire him, because of political implications.
>I'm not just saying this to be a jerk - this should be grounds for immediate termination of his employment.

More specifically, his security clearance should be revoked, or modified such that he's not allowed to use a computer without being supervised by a competent person; which ought to have the effect that he's basically disqualified from working for the CIA, or speaking about anything related to information security.

The only sensitive information listed in this article is his application for security clearance. While that may contain a lot of personal information, that file would have been compiled and sent before he had access to classified documents, and before he had a government email address.

I am guessing this kid wiggled his way into a 10+ year old AOL account containing data that was never deleted. We all probably have emails and contacts sitting in a forgotten AOL account.

>The only sensitive information listed in this article is his application for security clearance. While that may contain a lot of personal information, that file would have been compiled and sent before he had access to classified documents, and before he had a government email address.

CNN is reporting he posted his SSN on Twitter.

So far I've seen zero evidence of sensitive information being on that email account.
All this time I had assumed when Brennan called for dangerous things like encryption back doors he must understand the negative impacts would be but just didn't care as long as it helped the CIA. Now I'm thinking he actually doesn't know what he's talking about at all which is somehow even worse. An AOL email account with confidential files in it? Unbelievable.
There was nothing in the story saying confidential files were stored in his AOL account. Also nothing about when the account was last used.

There was a time when we all had noisy modems and AOL accounts.

I think these qualify. You are free to disagree.

CIA Director John Brennan’s private account held sensitive files — including his 47-page application for top-secret security clearance — until he recently learned that it had been infiltrated, the hacker told The Post. Other emails stored in Brennan’s non-government account contained the Social Security numbers and personal information of more than a dozen top American intelligence officials

Not quite. Confidential is a technical term in the military/IC world. It's a classification, just like secret or top secret. I read somewhere that a lot of the Wikileaks cables were supposedly stuff marked confidential.

Storing confidential material in an AOL account would be a crime, just like giving the same material to Wikileaks.

Brennan's PII, job history, etc. is certainly valuable information, but clearance application paperwork itself is unclassified.

Ok then my mistake - there's nothing in the article that says they were files classified as confidential.
I wonder if the AOL disk is still sitting in his CDROM tray at home.
Worse. It's a floppy disk.
Why would he keep his AOL disk in the cup holder?
I knew (witnessed) the person who got that famed call... was at the compaq side of the MCI call center handling support calls for compaq, on one side, and iomega on the other (I worked on the iomega side).

Walking by... head pops up... "dude... dude... (trying no to snicker too hard) ... this lady's cup holder is broken..." ... me respondign "cup holder?" ... "yeah, the cd drive.. she thinks it's a cup holder" ...

Such a brief interaction, but really funny none the less... My funniest call was someone calling to back up their master's thesis work, because they were concerned about the power during the storm... was almost 6 minutes into the call when he said the power was out (desktop computer). It's really hard to be professional when faced with certain levels of stupid.

That's awesome. I was just kidding around, but I think some people don't get the reference to that support call being the stuff of legends.
Yeah, in cases like this I refer to Scott Adams Dilbert (or rather one of the books).

"I get emails all the time from people who say they were -that- tech support guy that got -that- call about the cup holder. While we're on the subject of what people want in their email client, I want my email client to lock all those people in a room and force them to duke it out until there really is only -that one guy-."

I wasn't the guy... I just happened to be around when it happened... Like I said, I did get a call from someone trying to get hardware support when the power was out... I also had a friend that used to keep his ash tray in front of the desktop as a "smokeless ashtray" since it sucked the smoke into the front intake.

These are probably the three most stupid tech things I've seen... I also saw a computer that was shot once, I am pretty sure that's happened a few times.

(comment deleted)
If this was anyone below him he would discipline and possibly terminate them.
A bit of a naive question but can someone answer this for me? To be a CIA Director, isn't it a requirement to have some sort of a technical background that way whoever is in the role is able to anticipate and always be a step head when it comes to these sort of problems?
I guess they don't look at themselves very closely. Otherwise, the biggest red flag should have been the fact that the CIA director has AN AOL ACCOUNT.
Thank you all for answering my question.
Perhaps in some government that is run well, but the US government optimizes for political rewards over suitability for service at this level.
It seems you just have to put in a long career and know all the right people. It also seems that it's the NSA doing all the high-tech work now anyway.
(comment deleted)
The CIA "is tasked with gathering, processing and analyzing national security information from around the world, primarily through the use of human intelligence (HUMINT)"

The director is presumably in charge of executing specific missions and a long term vision for human spying. She/he does this by directing people who manage people who manage people (etc.). I don't think a technical/engineering background is presumed or necessary for such a role.

That said, an understanding of the basic structures and failure modes of information security in the digital world as it pertains to HUMINT does seem highly relevant (and necessary) for crafting and executing a modern vision/mission.

>I don't think a technical/engineering background is presumed or necessary for such a role.

Definitely, but one should know his/her limitations, and that one in particular should also never speak about infosec. Brennan fails on both of those accounts.

This is so dumb, it couldn't even be taken seriously as a honeypot strategy.
This kid is going to get charged with felony embarrassment of a federal official and it will probably hurt quite a bit.
But according to the government, you don't have expectation of privacy for any personal data stored in the "cloud"
That may be true, but it doesn't help. Impersonating another person could plausibly be construed as accessing a system without permission -- a federal offense, I believe. Couple that with things that likely include classified information, if the director included that kind of thing, and anyone who accesses his account could be facing a very aggressive prosecution.
You can't have it both ways if you are the government... it should be the same for everyone.
"Show me your cool clock"? What could be a nice political message? Ahmed and this teen applying as CIA directors?
So they claim he had classified docs in his AOL account. Why didn't the person(s) emailing these docs to Brennan's AOL account raise a question?
perhaps he just emailed those docs to himself? I do that a fair amount, so I can pick them up later.
I'm working in a relatively locked down environment.. At least once a week I have to email myself something (nothing sensitive) just to be able to get to it at home, which requires a resource that's blocked en-masse at work, but none the less I need access to.
(comment deleted)
He probably just sent them to himself so he can read the stuff at home or away from his work computers.
Where are your brains, in your ass?

It's stupid, man, it's universally stupid.

> CIA Director John Brennan’s private account held sensitive files — including his 47-page application for top-secret security clearance

Stories like these make me shudder thinking about the times I may have, at some point, included a document with personal information in an email, such as to a prospective landlord for verification. Even if I were able to keep my email account reasonably secure...I'm pretty sure all the recipients of my email aren't as wary, or regularly delete old received emails with attachments that they've collected over the _decade_.

Although in Mr. Brennan's case, he doesn't have that same excuse. It may have been reasonably safe (for a layperson in IT) to send his application file over aol.com's servers, but not to keep a copy of it in his Sent box. Even a novice at cybersecurity should realize the problem of keeping digital files around on an online server...it's not much different than keeping files in a file cabinet and expecting that file cabinet never to be compromised.

>Stories like these make me shudder thinking about the times I may have, at some point, included a document with personal information in an email, such as to a prospective landlord for verification.

I always insist on encryption for these sorts of things. I'm fairly certain that for everyone I've asked about an encrypted channel to deliver data, I've always been the first person to even ask. This includes hospitals, agencies who do background checks, etc. It's incredibly disturbing that no one else is insisting that their sensitive documents not just sit unencrypted in all these random in and out boxes.

That point in life when you realize that the people "in charge" have no idea what they are doing and might be the furthest thing from an expert.
I shudder at just how much information chinese and russian hackers were able to get or still in process of acquiring or planted early ahead of time so it can be activated for future use. Hope the US also has enough dirt to counter the balance.
The reason those in charge don't care about secrecy is... secrecy is important not for reasons of "national security", but rather for those of politics. Do we need to bash some hackers or protesters or journalists? "OK, then secrecy is literally the most important thing, more important than cute little kids or the Constitution or even the NFL." On the other hand, when it's just us old M-IC lizards futzing around? "Naw, who cares? I'm the expert!"
I am not buying the Palestinian/Intifada cause of this stunt. There's something fishy about this operation and the timing in particular for the leak.
And the previous CIA director got fired because he had an affair that was leaked via his email account. What is it with CIA directors and email accounts?
This apparently linked twitter account https://twitter.com/_CWA_ has posted what appears to be un-redacted screenshots of names, phone numbers and social security numbers of what I would assume the NYP article is referring to as "top American intelligence officials".

A quick crosscheck of the names and emails brings up:

* The current Senior Director for the North Africa and Yemen National Security Council for the White House

* The former Former Deputy Assistant Secretary of Defense, for the US Department of Defense

* A retired 3-star general and former Deputy National Security Advisor to the President

It says something sad about our cybersecurity preparedness that the director of the CIA is keeping this info in an aol.com account.

@_CWA_ is suspended as of a few minutes ago.
>_CWA_ is suspended as of a few minutes ago.

What about the twitter account in the article? I am assuming that is what you meant?

@phphax is still up. @_CWA_ was an account that was linked to by @phphax in a stickied post. The @_CWA_ account posted the SSN's of Brennan and about a dozen other gov't officials and mucky mucks. It appears that @_CWA_ was a sacrificial account used for the purpose of disseminating that info.
(comment deleted)
his twitter account is nuts
He's taunting them right now
Sorry, I can't get past the fact the CIA director has an AOL account.