1,000 Sys Admins Can Copy Any NSA Document Without Anyone Knowing About It; Think Only Snowden Did?
from the perfect-audits? dept
Following on our earlier story about how Ed Snowden covered his tracks -- showing that the NSA's vaunted "auditability" of its systems is a complete joke -- comes the news that there are approximately one thousand sys admins with Snowden's authority, who can basically go through any document without any trace. Even more incredible: they can "appear as" anyone else when doing things on the system. In other words if a sys admin wanted to frame an NSA analyst, it sounds like that would be quite easy. The report also notes that, for all of the talk about how great the NSA is at cybersecurity, and the fact that part of the point of CISPA was to try to have the NSA in charge of the nation's cybersecurity, the agency does a piss poor job protecting itself:“It’s 2013 and the NSA is stuck in 2003 technology,” said an intelligence official.That last sentence really means: "they are great at hacking stuff, but crap at protecting stuff."
Jason Healey, a former cyber-security official in the Bush Administration, said the Defense Department and the NSA have “frittered away years” trying to catch up to the security technology and practices used in private industry. “The DoD and especially NSA are known for awesome cyber security, but this seems somewhat misplaced,” said Healey, now a cyber expert at the Atlantic Council. “They are great at some sophisticated tasks but oddly bad at many of the simplest.”
As for the thousand or so sys admins on staff, it appears that they have no restrictions or tracking of what they do:
As a system administrator, Snowden was allowed to look at any file he wanted, and his actions were largely unaudited. “At certain levels, you are the audit,” said an intelligence official.Remember how the NSA at one point said that there were only 35 analysts who could run certain queries? And that all of the queries were tracked and audited. It seems they left out the thousand or so sys admins who could do whatever they wanted with no tracking at all. Does anyone honestly think that none of those sys admins ever was involved in a "LOVINT" situation? Or something much worse?
He was also able to access NSAnet, the agency’s intranet, without leaving any signature, said a person briefed on the postmortem of Snowden’s theft. He was essentially a “ghost user,” said the source, making it difficult to trace when he signed on or what files he accessed.
If he wanted, he would even have been able to pose as any other user with access to NSAnet, said the source.
Oh, and people will remember that the NSA's new plan to "fix" this it to get rid of about 900 of those sys admins, rather than fix the actual problem. And, of course, if you know anything about how this stuff works, you'd know that the NSA probably can't actually automate away 90% of what its sys admins do.
So we're left with an agency that collects a ridiculous amount of info, and has around 1,000 employees (who are mostly actually employed by outside contractors) who can look through anything with no tracking, leaving no trace, and we're told that the data isn't abused. Really? Do Keith Alexander, James Clapper, President Obama, Dianne Feinstein and Mike Rogers really believe that none of those 1,000 sys admins have ever abused the system? And, do they believe that none of the people whom those thousand sys admins are friends with haven't had their friend "check out" information on someone else? Hell, imagine you were someone at the NSA who understood all of this already. If you wanted to abuse the system, why not befriend a sys admin and let him or her do the dirty work for you -- knowing that there would be no further trace?
Basically, it seems clear that the NSA has simply no idea how many abuses there were, and there are a very large number of people who had astounding levels of access and absolutely no controls or way to trace what they were doing.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: audits, cybersecurity, ed snowden, keith alexander, nsa, nsa surveillance, security, sys admins
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Ah, the geeks are in control...
And here we are - finding out that the geeks and nerds are the ones basically running things that Congress is supposedly overseeing.
So...who runs this country again? When will they start listening to the very people they're putting in charge?
[ link to this | view in chronology ]
Re: Ah, the geeks are in control...
[ link to this | view in chronology ]
Re: Ah, the geeks are in control...
[ link to this | view in chronology ]
Re: Ah, the geeks are in control...
[ link to this | view in chronology ]
Or - better- forgot to include the magic cable to get to the internet from . . .
[ link to this | view in chronology ]
How many of those 1000 sys admins are paid to spy for other governments?
If they can access this information so easily like Snowden could, and they can cover up their tracks so easily like Snowden did, that makes ALL of them a very tempting target for a foreign government to bribe.
[ link to this | view in chronology ]
Soooo...
[ link to this | view in chronology ]
Re: Soooo...
[ link to this | view in chronology ]
Insider Threat
I kind of doubt that even the NSA completely missed this one...
I'm afraid to ask... how stupid does the NSA believe that the general public is?
[ link to this | view in chronology ]
Re: Insider Threat
[ link to this | view in chronology ]
Re: Re: Insider Threat
MILEY ROCKS!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Disgruntled admins..
I bet things go _much_ smoother from here on in..
Oh, and 900 people are probably a little pissed at going down with the Snowden ship..
[ link to this | view in chronology ]
Re: Disgruntled admins..
[ link to this | view in chronology ]
Re: Re: Disgruntled admins..
The more realistic question is how many of those admins left themselves backdoors or other ways of accessing data that nobody else knows about. I'll bet there's several, and now they lack the manpower to audit machines for anything not detectable by standard intrusion detection and auditing procedures.
[ link to this | view in chronology ]
I guess you are right Mikey. Great Job exposing this for the people!
[ link to this | view in chronology ]
AH- the King's new cloths
[ link to this | view in chronology ]
' cd /'
' cp -ar * /mnt/usb0'
The space if front is important, so command don't get logged.
[ link to this | view in chronology ]
Re: Only Snowden?
Q2: Are there any men employed as sysadmins?
If (Q1 and Q2) = true then the systems *have* been abused. Bad security cannot beat evolutionary imperatives.
[ link to this | view in chronology ]
Re: Re: Only Snowden?
No, evolutionary imperatives will always beat the best security.
The computer is your friend. Trust in the computer.
[ link to this | view in chronology ]
How many of those 1000 sysadmins are working for the NSA?
Surely nobody of the slightest intelligence is going to suggest that 1000 out of 1000 are absolutely loyal. The odds against that are staggering. Not when Snowden has provided a demonstration proof that -- with just a little care -- it's possible to stroll out of the NSA with a staggering amount of information. Surely someone who only needs to take a little information...but just the right information...and sell it to some very interested buyers who are willing to pay top dollar/yen/euro/rupee for it, will have no trouble doing so.
Another way of looking at it: the NSA is very busy building an information repository for lots of other people besides the United States government.
[ link to this | view in chronology ]
Have those 1000 sysadmins actually been terminated?
1 - Did they leave any back doors into the systems?
2 - Did they create some other accounts for later use?
3 - Did they already dump all the files they could find into a safe place?
4 - Who are they blackmailing already?
It sounds like a lot of these servers are UNIX or Linux based and the folks that administer those systems tend to be very creative.
;-)
[ link to this | view in chronology ]
Re: Have those 1000 sysadmins actually been terminated?
[ link to this | view in chronology ]
Re: Re: Have those 1000 sysadmins actually been terminated?
People should start checking the missing persons reports for those cities hosting major NSA installations.
[ link to this | view in chronology ]
Re: Re: Have those 1000 sysadmins actually been terminated?
[ link to this | view in chronology ]
Re: Re: Re: Have those 1000 sysadmins actually been terminated?
That's funny.
I don't think the NSA's system fits as either of those adjectives.
[ link to this | view in chronology ]
Sadly, this is the NSA and I don't know about anyone else but I feel fuckloads less safe seeing how inept and incompetent they are.
I'm terrified that Congresscritters and others actually think these people are the best of the best.
This is what happened with every "good" idea we put into motion, they attach wads of cash to their corporate sponsors and it goes to shit and needs more and more money.
[ link to this | view in chronology ]
Another 900 Snowdens ready to go wild
OK, I'm not paranoid but.... I think everyone needs to make themselves as small a target as possible. Start encrypting phone calls, emails, text messages, browsing. Stop storing files on Dropbox, in Gmail, in iCloud, etc., and stash everything in a Cloudlocker (www.cloudlocker.it) which stays in your house where they still need a warrant to look inside.
What a shame it's come to this, but we have to protect ourselves from the people who are supposed to protect us.
[ link to this | view in chronology ]
And now 900 of them are going to get laid off.
I've heard of big businesses being brought to their knees at the hands of one disgruntled sysadmin. One.
They fired. Nine. Hundred. Sysadmins.
Sysadmins who were in charge of an enormous database of potentially dangerous information, all locked behind paper-thin security.
This cannot possibly end well for the NSA.
They're not going to be able to drum up much sympathy when the other shoe drops, either. With the public in a state of sustained outrage, and congressmen clamoring for them to be defunded, they may well be shut down altogether in the wake of whatever disaster befalls them.
[ link to this | view in chronology ]
Guesses about NSA tech
We can also guess that they have lots of legacy tech to maintain. Specialized old hardware and software that has to be kept in place for specific intelligence-collecting missions, but that doesn't integrate well with more up-to-date systems. Keeping these systems working would require specialized employees with significant system privileges.
We can also guess that their bureaucratic structure and security requirements will sometimes delay new technology. If, for example, they were using a custom in-house linux fork, then any improvements and bugfixes have to jump through the obvious hoops.
That's all straightforward, and can be streamlined. But it also means that those old systems -- the ones that mostly work, don't seem like a big risk, and would be a huge effort to replace, may be continued nearly indefinitely. It also suggests to me that remodeling old tech might sometimes be bureaucratically preferred over new construction. How many lines of Fortran 77 do you reckon the NSA still has deployed? Of Cobol? Ada?
My guess is the NSA has some really nasty system integration/ESB/API-genre problems. In addressing these, upper management lacks the technical expertise, but demands solutions, so middle management looks the other way when nerds cut corners on security stupidity (cf. sysadmin privs) to get results.
[ link to this | view in chronology ]
Fired 900
I'll also bet that everything that can easily be automated has already been automated. Remember, upper management is always completely fucking clueless.
[ link to this | view in chronology ]
Log wipe
[ link to this | view in chronology ]
sudo wget Hong Kong boarding pass
sudo rm log
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Ahem.
Hope we see quite a few more Snowdens then.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
forgot the link...whoops
[ link to this | view in chronology ]
This long? What took yous?
Plus you're working in the Security/Intelligence field, where terminating employment sometimes means terminating the employee as well, even in the spy novels (One of the books I read during my misspent youth was about working in Security/Intelligence, and one thing the author pointed out was that anyone with scruples about terminating another spy to save his own life, was worth nothing as a spy.)
So the chance that someone else will have insurance lying around somewhere, ready to snap the NSA like dry-rotted wood if anything should turn against him? Practically 1.00 confidence interval.
The chance that someone will then use that information to spruce up his life? .95 confidence interval.
The likeliehood that nothing Snowden has leaked so far is news to anyone else? Practically 1.00 confidence interval.
So, what the h*** took yous? You've had all the pointers ... the persecution of Snowden's got nothing to do with security vulnerability as such - it's got everything to do with security theatre.
[ link to this | view in chronology ]
Thank you captain obvious...
The plus side of this is that, while there may be 1000+ individuals that have sufficient access to do something Snowden-esque, there's a very small fraction that have the skills to even begin to try to take advantage of that access. Smaller still is the number that, even if they had the skill to take advantage of that access would not voluntarily nor could be induced to do so.
You can see this reflected in any IT services organization: the billable guys tend to be the most clueful folks while the back-office guys tend to be lower-tier skills. Think of the guy doing desktop support at a Fortune 500 and that's what the vast majority of the 1000 SAs are like in government IT.
[ link to this | view in chronology ]