49 comments

[ 4.7 ms ] story [ 117 ms ] thread
All the security tech in the world can't stop people from writing their passwords on sticky notes and pasting them on their monitors. Or in this case, giving them to a coworker.

Well, actually two-factor can. I wonder why a two-factor auth was not required? That would have rendered Snowden's keylogger useless.

Even 2-factor is susceptible to social engineering. Years ago when I worked IT for a company the protocol for providing a 24hr bypass to their RSA token was to ask generic questions that any 'friend' could likely answer. We'd use this if they were working from home and left their token at work or the other way around.
That's badly implemented 2-factor, though. If you have a system that allows you to bypass a protocol, then of course it will be easier to... bypass that protocol.
There was that guy that outsourced his own job to a developer in China so he could surf Reddit and HN all day at work. If I recall he even FedEx'ed his two-factor auth to the guy in China so he could VPN in and complete his work.
I remember that guy getting caught from some OPSEC weaknesses though. He would have been better off if the Chinese replacement was logging in though a machine at the guy's house, so the IP address didn't give it away. You could also use a webcam to share the RSA token, without having to physically send it, and lose control of it.
This was a form of two-factor authentication. There was a certificate and a password and Snowden apparently obtained both.

There are obviously other types of 2FA that would have prevented this, but it's interesting to note that this qualify as two-factor for many companies.

Don't worry though they have a fool-proofing auditing systems in place to prevent abuse of the intelligence they have intercepted on US "persons".

I am always amazed at the double claim the NSA makes:

1. That they have a great auditing system that catches abuses.

2. That the auditing system shows that most NSA employees are honest because they have caught very few abuses.

The two claims do not support each other. These two alternatives would be more convincing:

1. That the auditing system is great and thus we have caught millions of abuses.

2. That the auditing system is easy to bypass and therefore we have caught very few abuses.

The very fact that Snowden could take what he did, in the way in which he did, and that they still don't know the extent of data copied shows that their auditing systems are easy to bypass.

Not necessarily. Snowden took mainly metadata: PowerPoint presentations and the like. I have not heard tell that he took any actual intercepts or personally identifiable cell phone data. I suspect the latter is what is audited.
Don't worry - from what I've heard - metadata isn't all that useful anyways. Which is why we're collecting massive amounts of in in a center in Utah.

/s

You're playing a game with the definition of "metadata" to refute a point the parent comment didn't make.
I don't think we can draw any conclusions about NSA security practices by looking at what Snowden did or did not take. His goal was to expose the NSA's domestic spying programs by turning evidence over to newspapers, so why would he want to walk off with tons of raw tracking data? Taking anything other than what he needed to make his case would just have strengthened the arguments of the people who say he's a traitor who wanted to harm the U.S.
I think it's pretty safe to say, the NSA can't secure data against an one person working alone. Therefore the NSA's security practices don't have a prayer at keeping out a determined nation state.

That's probably not the conclusion you're looking for though.

Seems like it would chip away at Snowden's "whistleblower" claim if he was actively trying to subvert the NSA's compartmentation scheme to access documents he wasn't cleared for.
THIS.

Like I've said in other comments on Snowden: he had an agenda.

This wasn't just simply a case of a guy who was involved in something he couldn't stomach any longer; he went in with the intention of gaining access to materials he didn't have a right to see. He took on the persona of a mole and use the access he did have to gain the trust of people via subterfuge. THAT is how he got these documents.

If Snowden had a foreign handler, then he would be called a "spy." The jury is still out on whether or not that was the case.

I'm not taking anything away from the disclosures that were made about NSA overreach, but seriously, do we hate our government so much that we are willing to cheer when another government subverts it?

If you think there's any evidence of Snowden being run as an asset of a foreign government, you've fallen victim to baseless whisper campaigns by a few Congressmen. There is zero evidence of this. If there were any, the administration would be trumpeting it far and wide.
These nations, including Russia, Venezuela, Bolivia, Nicaragua, and Ecuador have my gratitude and respect for being the first to stand against human rights violations carried out by the powerful rather than the powerless. By refusing to compromise their principles in the face of intimidation, they have earned the respect of the world.

Edward Snowden, July 2013

That is an awfully nice thing to say about the Russian establishment. It's also nice that Snowden, a guy who seems to be pretty forthcoming with his opinions, has not made a single comment about any of the well documented cases of civil rights abuses in Russia.

I doubt that he's happy about having to seek refuge in Russia.
To be fair, he was in a precarious position at the time. Did he make statements like that before the whole thing started?
> Edward Snowden, July 2013

That's hardly evidence those governments are running him as an intelligence asset.

> It's also nice that Snowden, a guy who seems to be pretty forthcoming with his opinions, has not made a single comment about any of the well documented cases of civil rights abuses in Russia.

There's something to be said for not wanting to get kicked out of the one country to grant asylum. Again, hardly makes him a spy for them.

Point is he took classified intelligence documents to China, then Russia. He never says anything bad about Russian political leaders and he occasionally says very good things about Russian political leaders. His disclosures also frequently seem to cause strife among NATO allies.

What you said is that if you think Snowden is a foreign agent, then "you've fallen victim to baseless whisper campaigns." What I'm saying is that there is a very suspicious (though not conclusive) pattern in his behavior. You don't need any "whisper campaigns" to see it. There is plenty of room to doubt his motivations.

What exactly are you saying his "motivations" were?

It actually makes far less sense that Snowden would publicly praise the countries for which he is secretly spying. It makes more sense that he was making those comments as a matter of expediency (he was seeking asylum, after all).

And, say what you will, but the man is not without intelligence. The irony and impact of making those statements about Russia as a U.S. citizen in that situation was not lost on him.

But all of this a sideshow and a red herring. So, let's just say Snowden was a spy. Let's also say he was a member of al Qaeda.

Now, about those revelations regarding our government's activities...

> Point is he took classified intelligence documents to China, then Russia.

The same is true for any embassy courier. If he's not providing the decryption passphrases, who cares?

> His disclosures also frequently seem to cause strife among NATO allies.

That's only because "US spying on Russia/China/etc." was a given and hardly a surprise.

LOL. How about China/Russia spying on US?

What I find so hilarious about all of this is that China and Russia have been SO AGGRESSIVE in their use of technological capability to effect a spying apparatus in the USA and on our assets abroad.

http://articles.latimes.com/1987-04-07/news/mn-175_1_new-emb...

I think people often think that regular laws and customs are at play in the world of state vs. state. The truth is FAR more complicated.

Statecraft is big boy rules.

Just because he never said anything in public against the Nazis does not mean he is a Nazi. I also don't understand why you expect Snowden, who is in such a precarious position, should speak out against Russia when you could take a plane to Moscow and do it yourself.
Did you miss the part where Snowden claims Russia is the first to stand against human rights violations? Reread the quote. If you think Snowden is a principled champion of civil rights, how do you square that with the fact that he is on the record praising Russia's civil rights record?
In context, that statement sounds like he's talking about Russia's actions with regard to his case. I wouldn't read the quote as "Russia's really nice to gay people!". I'd read it as "Russia granted me asylum rather than throwing me to a possible execution/life imprisonment for whistleblowing."
I've said it before and I'll say it again: He chose Russia and China because priority #1 when you're running FROM someone, is to not get caught by them. Those were large nations he could (relatively) easily get into, that are not friends with the US and would not immediately turn him over to the US.

I'm sure he would have preferred to run and hide in Switzerland or Canada, or Japan, or any one of a hundred other countries, except that they would have hauled him in and stuck him on a plane/boat/truck back to the US as soon as he was identified.

This is a perfectly reasonable 'not a spy' reason to run to those countries, in case you lacked the imagination to go any further than 'he only went there because he was a spy.'

Dude, I'm lot listening to any congressmen at all. I'm going with my gut on this one.

I've got some pretty well-known friends who have written volumes about the NSA. They are happy to see these disclosures. I'm happy to see our discussion finally informed with some actual examples of over-reach.

That said, I'm not going to crown Snowden a hero. I don't believe he's innocent by a mile. His intentions were far from honorable and more akin to self-aggrandizement than honest debate about the role of government in our communications privacy.

> but seriously, do we hate our government so much that we are willing to cheer when another government subverts it?

Probably not, but your government hates YOU so much that they are willing to spy on you on every occasion.

Uh...no.

To borrow your logic, show me a solid example of the USG using this vast surveillance network to oppress civil rights en masse.

The USG has been able to suppress individual civil rights without any of this stuff. All of the evidence thus far has indicated that they have only ever used this capability to target foreign bad actors.

You're exactly right. Snowden was a spy, working for the citizens of the United States to infiltrate the extra-constitutional USG.
You guys have drunk the Kool-aid.

Make it about snowmen. Forget that the program has stopped ZERO attacks. Forget that the opportunity for abuse is off the charts. Forget that our government is completely off the rails on this issue.

Releasing document he was cleared for violates the NSA's compartmentalization scheme. I don't see how that affects his whistleblower status one bit.
It's the attempting (and succeeding) to gain access to other documents outside his compartment that undermines his claims.
That's a completely unsupported assertion. Why does that undermine his claim? Why does seeking further evidence of wrongdoing mean he's not a whistleblower?
Seeking further evidence of wrongdoing? LOL.

At what point did he morph from whistleblower to investigative journalist? Even an investigative journalist isn't allowed to do what he did to gather information. Can you imagine a world where we allowed the Geraldos of the world to use subterfuge and moles to go out and SEEK classified information using the same methods that the Soviets or Chinese would?

> Can you imagine a world where we allowed the Geraldos of the world to use subterfuge and moles to go out and SEEK classified information using the same methods that the Soviets or Chinese would?

Media moles are called leakers, and they're all over the place. Many are highly placed officials purposefully leaking to control the narrative. Interestingly, leaks that benefit the government's positions seem to receive less investigatory attention from the FBI et al.

There is a big difference between the typical strategic leaking by wonkish types in DC and releasing classified information to the media.

The first will get you fired.

The second will get you prison and/or death.

As someone who has friends who are currently in harm's way, anything that hurts their chances of coming back in one piece is worthy of my scorn.

I think ALL of those leaks should have been prosecuted.

I feel like impeachment would have been a fine option.

I think the fact he was contacting journalists in December about information he had yet to take (he said he started taking documents in April) shows he had a single purpose to take documents illegally to expose what the NSA was doing. That's borderline spying if you ask me. It's not like he got hired and after several months realizes something wasn't right. He had a specific purpose in mind before even getting there.

http://www.washingtonpost.com/world/national-security/edward...

"By last December, Snowden was contacting reporters, although he had not yet passed along any classified information. He continued to give his colleagues the “front-page test,” he said, until April."

"Asked about those conversations, NSA spokeswoman Vanee Vines sent a prepared statement to The Post: “After extensive investigation, including interviews with his former NSA supervisors and co-workers, we have not found any evidence to support Mr. Snowden’s contention that he brought these matters to anyone’s attention."

I will always contend what he did was reckless and subverted the job the intelligence community was doing at the time. Unless you were living under a rock, you already knew the NSA was getting out of control. Wired's article in Feb of 2013 highlighted the new NSA facility and its growing capabilities:

http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/

> Unless you were living under a rock, you already knew the NSA was getting out of control

Yes, definitely. If your threat model hasn't included global passive adversaries, at least since Mark Klein, then you're woefully naive and out of touch.

But what Snowden did is get people to care by revealing tangible details in a way that simply saying "everything is tapped" does not. Things certainly won't change overnight, and it may even take a few more like him to keep us on track to a secure Internet. But the fact that he got all of us talking, and we're still talking, is pretty remarkable.

And as long as he didn't physically hurt anyone, I can't see how anything could possibly be wrong with his methods. Remember, we're talking about unauthorized computer access versus institutionalized programs that are illegal under USG's charter, and of a type that would at least be publicly approved and transparent in any free society.

And why would we believe the NSA at this point?
I concur. The lack of detail seems bogus. Just because someone used Snowden's keyboard to log in once, theoretically allowing Snowden to intercept the password, doesn't mean that that Snowden actually logged the guy's password. Seems like they want scapegoats.
I came here to say "you're only as strong as your weakest link", but I have to admit this is plausible as well. However, from a hacker perspective, what difference does it make?

Social engineering tactics are widely known to be very effective in a lot of cases, and the NSA is no different. Snowden was accused in the past of trying to do this [1], although from his perspective (as well as mine, for that matter) he was probably just trying to explore the limits/boundaries of the systems he worked with [2].

I agree regarding the lack of details, and that this is probably a false report. That being said, I wouldn't be surprised if Snowden actually gave it a shot - if you can find someone actually willing to just hand you their credentials, why wouldn't you? Although I understand they're trying to make Snowden look worse with this, I don't see that it does - if anything, it highlights his strengths as a security researcher, while simultaneously showing that the NSA is susceptible to the same social engineering flaws as have been demonstrated elsewhere.

----

[1] http://www.nytimes.com/2013/10/11/us/cia-warning-on-snowden-...

[2] http://www.techdirt.com/articles/20131017/15530424921/snowde...

Remember, folks we do not know NSA's internal infrastructure..

Things we do know: 1 Hawaii is a listening post and Snowden was at a listening post yet did not have access to RAW data as systemadmin. This bodes well for claim on access abuse of RAW data only but not abuse on implementing the collection system for RAW data. In other words NSA can abuse through implementation without being audited..that includes Congress as it has been proven that NSA can lie to congress without being any move to punish NSA for such lies and also the lack of technical backgrounds or even military backgrounds of most congress people.

NSA is relying upon everyone forgetting that collection of raw data implementation is the number one place for auditing of abuses.

Who shares their key with someone and enters their password?

If I worked somewhere that is as sensitive as the NSA I would never share my key. I wouldnt allow someone to use my login at my work to do anything, period.

Now its sounds like Snowden was being a spook of his own in order to gain access to data. Hopefully these people wont be indicted.