1,000 Sys Admins Can Copy Any NSA Document Without Anyone Knowing About It; Think Only Snowden Did?

from the perfect-audits? dept

Mon, Aug 26th 2013 12:48pm — Mike Masnick

Following on our earlier story about how Ed Snowden covered his tracks -- showing that the NSA's vaunted "auditability" of its systems is a complete joke -- comes the news that there are approximately one thousand sys admins with Snowden's authority, who can basically go through any document without any trace. Even more incredible: they can "appear as" anyone else when doing things on the system. In other words if a sys admin wanted to frame an NSA analyst, it sounds like that would be quite easy. The report also notes that, for all of the talk about how great the NSA is at cybersecurity, and the fact that part of the point of CISPA was to try to have the NSA in charge of the nation's cybersecurity, the agency does a piss poor job protecting itself:

“It’s 2013 and the NSA is stuck in 2003 technology,” said an intelligence official.

Jason Healey, a former cyber-security official in the Bush Administration, said the Defense Department and the NSA have “frittered away years” trying to catch up to the security technology and practices used in private industry. “The DoD and especially NSA are known for awesome cyber security, but this seems somewhat misplaced,” said Healey, now a cyber expert at the Atlantic Council. “They are great at some sophisticated tasks but oddly bad at many of the simplest.”

That last sentence really means: "they are great at hacking stuff, but crap at protecting stuff."

As for the thousand or so sys admins on staff, it appears that they have no restrictions or tracking of what they do:

As a system administrator, Snowden was allowed to look at any file he wanted, and his actions were largely unaudited. “At certain levels, you are the audit,” said an intelligence official.

He was also able to access NSAnet, the agency’s intranet, without leaving any signature, said a person briefed on the postmortem of Snowden’s theft. He was essentially a “ghost user,” said the source, making it difficult to trace when he signed on or what files he accessed.

If he wanted, he would even have been able to pose as any other user with access to NSAnet, said the source.

Remember how the NSA at one point said that there were only 35 analysts who could run certain queries? And that all of the queries were tracked and audited. It seems they left out the thousand or so sys admins who could do whatever they wanted with no tracking at all. Does anyone honestly think that none of those sys admins ever was involved in a "LOVINT" situation? Or something much worse?

Oh, and people will remember that the NSA's new plan to "fix" this it to get rid of about 900 of those sys admins, rather than fix the actual problem. And, of course, if you know anything about how this stuff works, you'd know that the NSA probably can't actually automate away 90% of what its sys admins do.

So we're left with an agency that collects a ridiculous amount of info, and has around 1,000 employees (who are mostly actually employed by outside contractors) who can look through anything with no tracking, leaving no trace, and we're told that the data isn't abused. Really? Do Keith Alexander, James Clapper, President Obama, Dianne Feinstein and Mike Rogers really believe that none of those 1,000 sys admins have ever abused the system? And, do they believe that none of the people whom those thousand sys admins are friends with haven't had their friend "check out" information on someone else? Hell, imagine you were someone at the NSA who understood all of this already. If you wanted to abuse the system, why not befriend a sys admin and let him or her do the dirty work for you -- knowing that there would be no further trace?

Basically, it seems clear that the NSA has simply no idea how many abuses there were, and there are a very large number of people who had astounding levels of access and absolutely no controls or way to trace what they were doing.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: audits, cybersecurity, ed snowden, keith alexander, nsa, nsa surveillance, security, sys admins

44 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 26 Aug 2013 @ 12:54pm

They gave 1000 people system administration privileges? Wow as a system administrator you can pretty much do as you please then remove any trace you were ever there. Also yes you can't automate system admins. Its way better to have trustworthy people then a computer which can be hacked and then there's completely no way to know.
[ link to this | view in thread ]
Anonymous Coward, 26 Aug 2013 @ 12:58pm

Ah, the geeks are in control...
This reminds me of all the congress critters belittling the "geeks" and "nerds" - and shunning them because they didn't understand computers.

And here we are - finding out that the geeks and nerds are the ones basically running things that Congress is supposedly overseeing.

So...who runs this country again? When will they start listening to the very people they're putting in charge?
[ link to this | view in thread ]
Anonymous Coward, 26 Aug 2013 @ 1:13pm

wow. i hope somehow, somewhere, they put a RADIUS server for authentication from the Internet...

Or - better- forgot to include the magic cable to get to the internet from . . .
[ link to this | view in thread ]
Anonymous Coward, 26 Aug 2013 @ 1:26pm

How many of those 1000 sys admins are paid to spy for other governments?
Here's a bigger question, with 1,000 people who can do whatever they want and get their hands on almost any data they want it sounds like, how many of them have been bribed to work for foreign governments?

If they can access this information so easily like Snowden could, and they can cover up their tracks so easily like Snowden did, that makes ALL of them a very tempting target for a foreign government to bribe.
[ link to this | view in thread ]
Baldaur Regis (profile), 26 Aug 2013 @ 1:29pm

Soooo...
NSA internal security is provided by Big Bird and Oscar then?
[ link to this | view in thread ]
Anonymous Coward, 26 Aug 2013 @ 1:30pm

Insider Threat
Okay, so it seems that at least the bulk of corporate world gives lip service, at minimum, to insider threat...

I kind of doubt that even the NSA completely missed this one...
I'm afraid to ask... how stupid does the NSA believe that the general public is?
[ link to this | view in thread ]
Anonymous Coward, 26 Aug 2013 @ 1:33pm

Re: Soooo...
Nope - it's provided by Gonzo and Animal.
[ link to this | view in thread ]
slinkySlim, 26 Aug 2013 @ 1:36pm

Got Root?
[ link to this | view in thread ]
Anon? Hah!, 26 Aug 2013 @ 1:38pm

Disgruntled admins..
Now that 900 face the axe (gone already or given notice?) I'd bet the morale of the remaining 100 is quite low, with a hefty blend of paranoia.

I bet things go _much_ smoother from here on in..

Oh, and 900 people are probably a little pissed at going down with the Snowden ship..
[ link to this | view in thread ]
out_of_the_blue, 26 Aug 2013 @ 1:51pm

Dang, I don't have a snarky comment based on a logic fallacy for this one.

I guess you are right Mikey. Great Job exposing this for the people!
[ link to this | view in thread ]
Wally (profile), 26 Aug 2013 @ 1:55pm

Re: Disgruntled admins..
I wouldn't say I would worry about disgruntled admins as much as the fact that they still have access after they've been fired. What's more is that they've got only 100 people to remove the security credentials on what is likely thousands of computers.
[ link to this | view in thread ]
Anonymous Coward, 26 Aug 2013 @ 1:56pm

AH- the King's new cloths
At least now we know how big his dick is and how often he gets laid!
[ link to this | view in thread ]
Hephaestus (profile), 26 Aug 2013 @ 2:00pm

Re:
You are such the geek ... oh wait, I got that...
[ link to this | view in thread ]
Anonymous Coward, 26 Aug 2013 @ 2:12pm

Re: Insider Threat
Let me put it this way, I've been awake and trolling the internet on and off for the better part of 12 hours, and by far the biggest story I've seen today is Miley Cyrus at the VMAs.
[ link to this | view in thread ]
Mr. Oizo, 26 Aug 2013 @ 2:19pm

Re: Ah, the geeks are in control...
It is not because one is 'geek' or 'smart' that that makes you a moral / good person.
[ link to this | view in thread ]
Anonymous Coward, 26 Aug 2013 @ 2:22pm

' su jclapper'
' cd /'
' cp -ar * /mnt/usb0'

The space if front is important, so command don't get logged.
[ link to this | view in thread ]
Prask, 26 Aug 2013 @ 2:40pm

Re: Only Snowden?
Q1: Is it possible to gather information using NSA systems on women?
Q2: Are there any men employed as sysadmins?

If (Q1 and Q2) = true then the systems *have* been abused. Bad security cannot beat evolutionary imperatives.
[ link to this | view in thread ]
Anonymous Coward, 26 Aug 2013 @ 2:46pm

Re: Ah, the geeks are in control...
I love that movie!
[ link to this | view in thread ]
Anonymous Coward, 26 Aug 2013 @ 3:23pm

How many of those 1000 sysadmins are working for the NSA?
And how many of them are working for the Russians, the Chinese, the Japanese, the British, the Germans...or worse, the Mafia, the Zetas, etc.?

Surely nobody of the slightest intelligence is going to suggest that 1000 out of 1000 are absolutely loyal. The odds against that are staggering. Not when Snowden has provided a demonstration proof that -- with just a little care -- it's possible to stroll out of the NSA with a staggering amount of information. Surely someone who only needs to take a little information...but just the right information...and sell it to some very interested buyers who are willing to pay top dollar/yen/euro/rupee for it, will have no trouble doing so.

Another way of looking at it: the NSA is very busy building an information repository for lots of other people besides the United States government.
[ link to this | view in thread ]
The Original Anonymous Coward (profile), 26 Aug 2013 @ 3:29pm

Have those 1000 sysadmins actually been terminated?
If so, here are a few questions:

1 - Did they leave any back doors into the systems?
2 - Did they create some other accounts for later use?
3 - Did they already dump all the files they could find into a safe place?
4 - Who are they blackmailing already?

It sounds like a lot of these servers are UNIX or Linux based and the folks that administer those systems tend to be very creative.

;-)
[ link to this | view in thread ]
That Anonymous Coward (profile), 26 Aug 2013 @ 3:56pm

If this wasn't the NSA, this would be hysterical.
Sadly, this is the NSA and I don't know about anyone else but I feel fuckloads less safe seeing how inept and incompetent they are.
I'm terrified that Congresscritters and others actually think these people are the best of the best.

This is what happened with every "good" idea we put into motion, they attach wads of cash to their corporate sponsors and it goes to shit and needs more and more money.
[ link to this | view in thread ]
Anonymous Coward, 26 Aug 2013 @ 4:23pm

Another 900 Snowdens ready to go wild
They don't know what Snowden took and now they're firing another 900 just like him. What are they leaving with?

OK, I'm not paranoid but.... I think everyone needs to make themselves as small a target as possible. Start encrypting phone calls, emails, text messages, browsing. Stop storing files on Dropbox, in Gmail, in iCloud, etc., and stash everything in a Cloudlocker (www.cloudlocker.it) which stays in your house where they still need a warrant to look inside.

What a shame it's come to this, but we have to protect ourselves from the people who are supposed to protect us.
[ link to this | view in thread ]
Anonymous, 26 Aug 2013 @ 4:33pm

Re: Ah, the geeks are in control...
"We run things, things don't run we." -Miley Cyrus
[ link to this | view in thread ]
Anonymous, 26 Aug 2013 @ 4:35pm

Re: Re: Insider Threat
LOL! I just posted a line from a Miley song a few seconds before reading your post!
MILEY ROCKS!
[ link to this | view in thread ]
Rikuo (profile), 26 Aug 2013 @ 4:36pm

Re: Have those 1000 sysadmins actually been terminated?
A sysadmin or a group of sysadmins who know they are facing the axe but then don't threaten to wreck the IT systems if they're fired don't deserve the title. No matter what your organization, NEVER piss off your sysadmins. Since it's been proven here that any of them can leave no trace, then there really is nothing stopping them from going "Fuck this, there goes my salary, might as well get myself set for life and sell a few secrets to the Chinese or Russians or whoever".
[ link to this | view in thread ]
Anonymous Coward, 26 Aug 2013 @ 4:39pm

Re:
Bend over and you'll find out.
[ link to this | view in thread ]
The Original Anonymous Coward (profile), 26 Aug 2013 @ 6:04pm

Re: Re: Have those 1000 sysadmins actually been terminated?
Maybe they've all been "terminated", as in the Arnold Schwarzenegger type of termination.

People should start checking the missing persons reports for those cities hosting major NSA installations.
[ link to this | view in thread ]
Anonymous Coward, 26 Aug 2013 @ 6:10pm

Basically, it seems clear that the NSA has simply no idea how many abuses there were, and there are a very large number of people who had astounding levels of access and absolutely no controls or way to trace what they were doing.

And now 900 of them are going to get laid off.
I've heard of big businesses being brought to their knees at the hands of one disgruntled sysadmin. One.
They fired. Nine. Hundred. Sysadmins.
Sysadmins who were in charge of an enormous database of potentially dangerous information, all locked behind paper-thin security.

This cannot possibly end well for the NSA.
They're not going to be able to drum up much sympathy when the other shoe drops, either. With the public in a state of sustained outrage, and congressmen clamoring for them to be defunded, they may well be shut down altogether in the wake of whatever disaster befalls them.
[ link to this | view in thread ]
Anonymous Coward, 26 Aug 2013 @ 6:25pm

Guesses about NSA tech
As tech-heavy as they are, the NSA is a very large and (in tech terms) relatively old organization, and a government one at that. From those characteristics, we can extrapolate from similar (but not secret) organizations to make certain guesses. For example, they've probably had an attempted upgrade turn into a major screwup with huge cost overruns and lots of management ass-covering. It happens in the military, it happens in government, it happens in private industry.

We can also guess that they have lots of legacy tech to maintain. Specialized old hardware and software that has to be kept in place for specific intelligence-collecting missions, but that doesn't integrate well with more up-to-date systems. Keeping these systems working would require specialized employees with significant system privileges.

We can also guess that their bureaucratic structure and security requirements will sometimes delay new technology. If, for example, they were using a custom in-house linux fork, then any improvements and bugfixes have to jump through the obvious hoops.

That's all straightforward, and can be streamlined. But it also means that those old systems -- the ones that mostly work, don't seem like a big risk, and would be a huge effort to replace, may be continued nearly indefinitely. It also suggests to me that remodeling old tech might sometimes be bureaucratically preferred over new construction. How many lines of Fortran 77 do you reckon the NSA still has deployed? Of Cobol? Ada?

My guess is the NSA has some really nasty system integration/ESB/API-genre problems. In addressing these, upper management lacks the technical expertise, but demands solutions, so middle management looks the other way when nerds cut corners on security stupidity (cf. sysadmin privs) to get results.
[ link to this | view in thread ]
Anonymous Coward, 26 Aug 2013 @ 6:30pm

Fired 900
I bet the statement about getting rid of 900 sysadmins is like the other "least untrue" hairsplitting -- it means they'll have different job titles, but still be getting a paycheck. Maybe even a promotion!

I'll also bet that everything that can easily be automated has already been automated. Remember, upper management is always completely fucking clueless.
[ link to this | view in thread ]
IronM@sk, 26 Aug 2013 @ 10:08pm

Re:
*than* a computer
[ link to this | view in thread ]
toyotabedzrock (profile), 26 Aug 2013 @ 10:28pm

Log wipe
I have commented on several stories here and other places and on g+ that they have no idea what he has in total because he wiped the logs
[ link to this | view in thread ]
That Anonymous Coward (profile), 26 Aug 2013 @ 11:12pm

sudo copy *
sudo wget Hong Kong boarding pass
sudo rm log
[ link to this | view in thread ]
Anonymous Coward, 27 Aug 2013 @ 12:46am

Lesson nr.1 in ANY company - NEVER P!SS OFF THE SYSADMIN.
[ link to this | view in thread ]
Anonymous Coward, 27 Aug 2013 @ 12:48am

Re:
And cutting their job certainly doesn't help...Can't wait to see those disgruntled ex-NSA-sysadmins to start leaking stuff.
[ link to this | view in thread ]
Ninja (profile), 27 Aug 2013 @ 6:00am

ANOMALIES!!! 1000's OF THEM!!!

Ahem.

Hope we see quite a few more Snowdens then.
[ link to this | view in thread ]
TheLastCzarnian (profile), 27 Aug 2013 @ 6:17am

Re: Re: Have those 1000 sysadmins actually been terminated?
Real Sysadmins don't spend months or years creating a beautiful, functional system just to tear it down at the threat of termination. It would be like cutting the left pinky-finger off of your child. It's sick.
[ link to this | view in thread ]
Josh in CharlotteNC (profile), 27 Aug 2013 @ 7:15am

Re: Re: Re: Have those 1000 sysadmins actually been terminated?
a beautiful, functional system

That's funny.

I don't think the NSA's system fits as either of those adjectives.
[ link to this | view in thread ]
ThatFatMan (profile), 27 Aug 2013 @ 7:23am

This seemed appropriate here...
[ link to this | view in thread ]
ThatFatMan (profile), 27 Aug 2013 @ 7:24am

Re:
http://xkcd.com/705/

forgot the link...whoops
[ link to this | view in thread ]
Anon-Y-Mouse, 27 Aug 2013 @ 3:08pm

Re: Re: Only Snowden?
Q1: Is it possible to gather information using NSA systems on women?
Q2: Are there any men employed as sysadmins?

If (Q1 and Q2) = true then the systems *have* been abused. Bad security cannot beat evolutionary imperatives.

No, evolutionary imperatives will always beat the best security.

The computer is your friend. Trust in the computer.
[ link to this | view in thread ]
Wesley Parish, 27 Aug 2013 @ 8:17pm

This long? What took yous?
That was one of the first things I realized. You have data piling up, both on the organization, and on its victims. You have people of all different shades of political belief and technological ability. And you have - in every organization - someone disgruntled with something or other.

Plus you're working in the Security/Intelligence field, where terminating employment sometimes means terminating the employee as well, even in the spy novels (One of the books I read during my misspent youth was about working in Security/Intelligence, and one thing the author pointed out was that anyone with scruples about terminating another spy to save his own life, was worth nothing as a spy.)

So the chance that someone else will have insurance lying around somewhere, ready to snap the NSA like dry-rotted wood if anything should turn against him? Practically 1.00 confidence interval.

The chance that someone will then use that information to spruce up his life? .95 confidence interval.

The likeliehood that nothing Snowden has leaked so far is news to anyone else? Practically 1.00 confidence interval.

So, what the h*** took yous? You've had all the pointers ... the persecution of Snowden's got nothing to do with security vulnerability as such - it's got everything to do with security theatre.
[ link to this | view in thread ]
Anonymous Coward, 27 Aug 2013 @ 8:39pm

Thank you captain obvious...
Yes, the intelligence agencies are very good at hacking - it's their equivalent of the money-making part of their enterprises. As a result, data-collection is where they spend the bulk of their money and place the most brain-power/skills. However, like the vast majority of enterprises, IT administration is simply another cost-center. As such, those costs are controlled to as great a degree possible - moreso given current budgetary trends. This means that administration is happening at "lowest bid" rates.

The plus side of this is that, while there may be 1000+ individuals that have sufficient access to do something Snowden-esque, there's a very small fraction that have the skills to even begin to try to take advantage of that access. Smaller still is the number that, even if they had the skill to take advantage of that access would not voluntarily nor could be induced to do so.

You can see this reflected in any IT services organization: the billable guys tend to be the most clueful folks while the back-office guys tend to be lower-tier skills. Think of the guy doing desktop support at a Fortune 500 and that's what the vast majority of the 1000 SAs are like in government IT.
[ link to this | view in thread ]
PaulT (profile), 28 Aug 2013 @ 6:55am

Re: Re: Disgruntled admins..
I'd hope an organisation the size of the NSA has some kind of centralised security management and other restrictions. If they're manually setting the access credentials for each individual machine, they're asking for trouble and you might as well assume that the data's compromised anyway.

The more realistic question is how many of those admins left themselves backdoors or other ways of accessing data that nobody else knows about. I'll bet there's several, and now they lack the manpower to audit machines for anything not detectable by standard intrusion detection and auditing procedures.
[ link to this | view in thread ]