You'd Think NSA Employees Would Know Better Than To Hand Out Their Passwords, But Many Gave Them To Snowden
from the nsa-is-trustworthy? dept
In the latest bizarre news concerning the Snowden leaks, Reuters is reporting that Ed Snowden was able to convince a number of NSA employees to give him their login info, which helped him access a lot of the content. Of course, this differs from earlier reports, which had suggested that, as a sys admin, he'd simply been able to login as other employees.A handful of agency employees who gave their login details to Snowden were identified, questioned and removed from their assignments, said a source close to several U.S. government investigations into the damage caused by the leaks.What fascinates me about this is the idea that if you were working for the NSA, wouldn't you know to never give out your password to anyone, ever? It just seems like basic common sense (also: if you were one of those 20 to 25 people, I'd imagine that as soon as Snowden's name came out, you were sweating bullets). You'd think that NSA employees wouldn't do that sort of thing.
Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator, a second source said.
And, once again, what this brings us back around to is the simple fact that NSA employees are humans and sometimes they do the wrong thing. That is why the surveillance program is so worrisome. Keith Alexander and others can insist that there were only a small number of abuses, but all the data actually showed is that the NSA only caught a small number of abuses. It's quite likely that many more have happened, and continue to happen. The fact that it's apparently not that difficult to get NSA employees to cough up their login info shows that for all the talk of careful review, audits, limits and security -- humans remain a very weak link, and there are all sorts of ways to get at information even if the NSA believes it's locked down and carefully monitored.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: ed snowden, humans, nsa, nsa surveillance, passwords, secrecy, sharing
Reader Comments
Subscribe: RSS
View by: Time | Thread
My suggestion
The fact that it's apparently not that difficult to get NSA employees to cough up their login info shows that for all the talk of careful review, audits, limits and security -- humans remain a very weak link, and there are all sorts of ways to get at information even if the NSA believes it's locked down and carefully monitored.
Okay. Here's my suggestion for this. If you all want that information, you have to watch it 24-7. It's that simple. We get Diane Feinstein, James Clapper, Keith Alexander, and anyone else supporting this into the big room to make SURE it's safe. They remove all suspicion when they're the ones being monitored with this and can show how all the info is under lock and key. They go through each step. Bit by bit.
They remain in the room to show us how this can help save lives. They remain in that one room to maintain national security.
That's my suggestion. You keep them in the room with the information that they have to watch. No senatorial duties, no general duties, and no administrative duties. They just watch the information for national security.
Meanwhile, we can fix the problems they brought up by making these programs much more secure and transparent. They can look, they just can't touch.
How's that sound?
[ link to this | view in chronology ]
Re: My suggestion
Let me propose a counter-offer:
Lock the above mentioned persons in a work camp for lifetime, to pay back the tax money they wasted on these programs.
Dismantle the NSA, CIA and a few other shady agencies, and use the money for really useful things, like paying back the trillions $ debt the USA in.
Use the NSA facilities to test orbital bombardment.
[ link to this | view in chronology ]
Which only emphasizes and reinforces the point made in the last paragraph. If we ignore the cynic in us, it's much much better to have focused efforts than throwing such broad, deep net. If screw ups happen you won't be compromising the entirety of the population.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
I think most of NSA passwords are probably...
[ link to this | view in chronology ]
Brilliant, just brilliant
If he was able to get 20-25 people to hand over their login information, the idea that the systems are even remotely secure is a joke, as if one person can do that, others can do the same, and all it takes is a single person to 'helpfully' give access to someone(who maybe 'forgot their password', or 'are having trouble logging in') for the entire thing to be compromised.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Strangely enough, paperkeys are probably the next cutting age ubber secure method of creating authentication, since you can print it or change them easily and use them with NFC(Near Field Communication) to exchange long cryptographic keys, which is not optimal for high security obviously, you would want something optical and not using radio waves still either by using optics(camera, lasers , infrared etc) or radio waves(NFC, bluetooth) to capture a cryptographic key that can be regenerated after every use, be longer and easier to use than having to remember a long alphanumeric string, then type it in and only change it every six months.
There was a time I though people who used weak passwords were dumb, now I can see that the problem was the user interface not the user.
[ link to this | view in chronology ]
Re: Re:
Now i have hundreds...
[ link to this | view in chronology ]
Re: Re:
The problem with the replacements (something you have and something you are) is that they can get lost and they can get changed. If something is password protected, then I can always access it as long as my memory works.
The problem with passwords is people, not the passwords -- and people will find a way to misuse any security scheme, password based or not.
Passwords are, of course, imperfect and not suitable for all security problems. However, the same is true for literally every other scheme. Passwords aren't going away because they fill a need nothing else will.
[ link to this | view in chronology ]
Re:
I explained to them just how stupid this was, but they're as dumb as a bag of hammers.
[ link to this | view in chronology ]
Re: Re:
If for some business reason I need to act as you I'll reset your password, and tell you as soon as you are available. (presumably you are not available). I'd be very suspicious of any IT department that has a different policy.
Some users are very hard to dissuade from telling you their passwords "It doesn't matter it's just ....". I try very very had to stop them from telling me that.. I don't even want to know HOW they create their passwords.
I understand how users get confused though. We had one user return from working for another company overseas recently. Apparently their IT dpt wouldn't let them even SET their own passwords because 'Then how would I use your computer if you are not there'. If their IT demands terrible practices like that how are users supposed to know better?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
So the great Snowden is just a conman !
Clearly he is not a person who in the NORMAL COURSE OF HIS WORK, found things that he felt were not right, he actively engaged in criminal activity to "DIG THE DIRT", and is much different.
You consider him a hero anyway, when all he is, is a common criminal, conman, and someone who set out to find this information, he did not come across it in the course of his job.. he is the very definition of a scumbag.
A lot of people will see this for what it is, and demote him from HERO to ZERO !!!.
I had him pegged as a zero from the start I have to admit, as has most others.
No technical expertise, just a lie and away you go.
[ link to this | view in chronology ]
Re: So the great Snowden is just a conman !
You left out a few words there, added for accuracy.
Outside of those that are having their illegal actions exposed, most people see a person who risked the ire of a country not known for it's self control, all to expose illegal or quasi-legal actions of the government to the people it's supposed to be representing as anything but a 'zero'. 'Hero' depends on who you talk to, but 'Patriot' I'd say is a given for someone who risked everything to protect what the country is supposed to stand for, rather than just following the corrupt individuals attacking core rights as set forth by the founders of the country.
Also, might want to give the following page a read through, see if any of it seems familiar.
http://en.wikipedia.org/wiki/Confirmation_bias
[ link to this | view in chronology ]
Re: Re: So the great Snowden is just a conman !
Nor do I assume like TD that the "Government is EVIL" either.
But I KNOW Snowden is not honest, truthful, smart or anything but a common criminal, and a fool.
I depends on what they are specifically doing, not what or who they are.
You can talk about specifics about Snowden, as he is one person, you simply cant do that with the Government.
The US Government is more right that Snowed is ever right, yes the Government might do things I don't agree with, but how is the Government doing anything worse by spying to keep the US safer, as opposed to Snowden spying to make a name for himself?
NSA don't say things, so by definition they don't lie, Snowden spies, lies and says what he has done, (or is lying).
So either way, Snowden is a scumbag, and the Government is more right that wrong.
Snowden is the scumbag spy who spies for his own gains and profit.
Government is the spying to help keep people safe, what is Snowden's motive to lie and steal ?
[ link to this | view in chronology ]
Nope, I'm pretty sure I meant patriot, as in 'a person who regards himself or herself as a defender, especially of individual rights, against presumed interference by the federal government.'*
Also your own comment below shows that you do in fact 'assume the government is always right', as you claim both that the government is 'more right than Snowden' in one place and that you can't talk about(and therefor understand), the actions of the government due to it's size.
So if you can't discus or judge the government due to how vast it is, yet still claim that it is 'good, right and honest', then you are in fact merely assuming that it is so.
But I KNOW Snowden is not honest, truthful, smart or anything but a common criminal, and a fool.
And this statement is based upon what then?
Also, you do realize I hope, that assuming that was true, it would mean the NSA hired, and gave a very important position to, a 'common criminal and a fool', hardly helping your argument, right?
You can talk about specifics about Snowden, as he is one person, you simply cant do that with the Government.
Except yes, you can. When specifics of what the government has been doing are made public you can very much talk about, and make judgements on, those actions.
but how is the Government doing anything worse by spying to keep the US safer, as opposed to Snowden spying to make a name for himself?
Well except their actions aren't designed to make the US safer(or if they are, they're doing a terrible job of it).
Spying on 300+ million americans, millions of people in other counties, and the most they had to show for it was 54 cases(not court cases mind, for some reason despite the severity of the accusations, the accused never seem to make to a court to be tried, and where they could challenge the accusations), all but one of which were dealt with via regular, legal investigations, and that last one was nothing more than a transfer of funds, and even then was only 'possibly' decided by the NSA's spying.
Meanwhile, their actions have massively damaged the US's relations and standing with other countries, severely weakened online and electronic encryption(making things worlds easier for criminals other than just the NSA), made an absolute joke out of the idea of 'justice' with secret courts, secret laws, and secret rulings, shown a complete disregard or active contempt of people's right to privacy and the 4th amendment... how is any of that supposed to have helped the US?
As for 'Snowden spying to make a name for himself'? The US made him more well known and famous than anything he could have ever done, by going so completely insane over his actions, including grounding a foreign head of state's plane because Snowden might have been on board.
Had they not reacted in such an over the top manner, people wouldn't be paying nearly as much attention to the matter, but by going so overboard, they made it abundantly clear that they were desperate to keep hidden what was being revealed.
NSA don't say things, so by definition they don't lie, Snowden spies, lies and says what he has done, (or is lying).
I can only assume you haven't been paying attention the past few months, as if you had you'd have seen that the NSA has been saying a whole lot regarding what they (supposedly) have and have not been doing, and almost every single time evidence has come out proving that they lied. To claim that they not only haven't said anything, but that they haven't lied, constantly, shows a massive amount of willful blindness.
As far as lies by Snowden, by all means, if you've got some evidence he lied about something even remotely as big as what the NSA has been lying about, please share.
So either way, Snowden is a scumbag,
According to you.
and the Government is more right that wrong.
Again, according to you.
Snowden is the scumbag spy who spies for his own gains and profit.
And those gains and profit would be...?
If he was really in it for the money, he wouldn't have told the world what he had done(keep in mind the NSA only found out about his actions because he told them), and he wouldn't have handed the files he'd gotten to a bunch of reporters. Instead he would have sold them to a foreign government(several probably), and retired to a nice house at some remote, probably tropic location.
Government is the spying to help keep people safe
Makes a nice sound-bite, but is anything but the truth as I mention above, and while they may have originally been spying to keep the US safe, they've gone completely overboard, and these days they spy simply because they wish to and can.
what is Snowden's motive to lie and steal ?
How about informing the US public that the government, which is supposed to be representing and protecting the rights of the citizens, is instead violating those very rights, and doing things that the public would very much object to should they find out about it, that seem like a good enough motive?
*Dictionary.com, second definition if you're curious.
[ link to this | view in chronology ]
Re: Re: Re: So the great Snowden is just a conman !
I bet you're stupid enough to believe this too.
[ link to this | view in chronology ]
Re: Re: Re: So the great Snowden is just a conman !
[ link to this | view in chronology ]
Re: So the great Snowden is just a conman !
Okay then, Mr. Solar Panel Fucktard.
darryl just loathes it when due process is enforced.
[ link to this | view in chronology ]
Re: Re: So the great Snowden is just a conman !
[ link to this | view in chronology ]
Clearly Snowden is not someone to be trusted with anything related to the truth, if he can lie to his co-workers to access their files for his own gains, he can lie about what he claimed to find.
He is no hero in my books, and clearly no technical wiz who saw things he did not like and spoke out about it, he is a common criminal who lied and went looking in other people business, a deliberate act, a criminal act and one intended to be self serving.
So now we can computer fraud to the ever growing list of him crimes.
I understand you posted this to try to make snowden look better and NSA look worse, it's a shame you've achieved the opposite effect..
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
No competent system administrator could ever possibly need other access credentials apart from what they already have and in the off chance that they do need more it's definitely not for Mr. Desk Jockey's creds.
The truth? Are you fucking present? Hello?? Do you think that there are only 25 useless idiots in the pool of 300 thousand or so? (clearly you're not lonely)
The NSA, which is charged with protecting the country and the means, methods and communications therein, was socially engineered resulting in a significant breach to security which also resulted in the dissemination of highly questionable activities to the public. Anyone reading "your books" is wasting their fucking time. Mr. Snowden did you and *billions* of other people a pretty hefty fucking favor. This guy was hacking in the interests of people and his country with the "buck stops here" integrity the U.S. Constitution demands. The security and law enforcement apparatus of the English speaking world is rogue. And being that Mr. Snowden was working in the public interest how hard do you think it is to hack the NSA for private gain?
There there now, soon you'll be all grown up and going to school and you won't need your daddy anymore then will you, darling?
[ link to this | view in chronology ]
Re:
"A professional would ask the user to create a new login for the maintenance if he did not want to hang around and log in each time for you."
A professional would either use his own admin account or alter the user's permissions to allow access to whatever's needs. WTF are you doing making a secondary account for a user just to access something? Why doesn't their standard account have those permissions? Either you're talking of a program needing elevated rights or something screwy with a bespoke app, but you shouldn't be logging a user in multiple times to fix these problems.
In fact why the hell would you need the user at all unless it's to get them to show you something or unlock their PC? Why is a professional sys admin having to defer to a standard user's account in order to do his work? Please feel free to name the situation where someone with admin rights would need a user to log in for you "each time", let alone one that requires you to know their password. Please. There are some situations I can think of, but they tend to fall under the category of "the admin is too lazy/incompetent to use a different method).
[ link to this | view in chronology ]
Re:
No. Just no. That should never be necessary. If it really is where you work, then the real problem is that your system is broken and needs to be fixed.
[ link to this | view in chronology ]
Security is miserable EVERYWHERE
Go read Marcus Ranum's "The Six Dumbest Ideas in Computer Security", then compare it to many security strategies, and note how many people have -- astonishingly -- made those six dumb ideas the cornerstone of their security policy.
Of course if you point out their error, they won't admit it. They won't admit even when some junior system administrator walks out the door with the keys to the kingdom. They'll deny, lie, bluff, everything but admit they're wrong.
[ link to this | view in chronology ]
You have lost the plot, Mike. -- And NSA goes on SPYING.
That NSA is spying on everyone 24/7 -- just like Google -- is the only relevant and unquestionably true fact to concern with. The rest is either intended obfuscation or entirely incidental.
Just call for INDICT, TRY, and JAIL the already known criminals.
Google. Making your life better by spying right up to the creepy limit. (tm) -- And soon as you're used to it, we get creepier!
02:01:20[c-2-2]
[ link to this | view in chronology ]
Re: You have lost the plot, Mike. -- And NSA goes on SPYING.
'Justice'... from a seriously mad US government that has proven multiple times it has no problem doing everything it can do destroy or discredit those that make it look bad...
Yeah, he's no more a 'fugitive from justice' for doing everything he can to stay out of the reach of the US than someone is 'paranoid' for not wanting to walk in front of a firing line for fear of being shot. Both cases are indications of common sense and sanity, not ill intent or nefarious thinking.
[ link to this | view in chronology ]
Re: Re: You have lost the plot, Mike. -- And NSA goes on SPYING.
KNEW should have put quotes around it as you do. Nonetheless it's true even if the US gov't is insane (as I assume is your use of "mad").
[ link to this | view in chronology ]
Re: Re: Re: You have lost the plot, Mike. -- And NSA goes on SPYING.
[ link to this | view in chronology ]
Re: Re: Re: You have lost the plot, Mike. -- And NSA goes on SPYING.
[ link to this | view in chronology ]
And yet...
[ link to this | view in chronology ]
And has this info been fact-checked by Reuters?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Regardless of the accusations by the defenders of the NSA here, I don't think anyone thinks that Snowden is a perfect angel who never did anything wrong. He may be lauded as someone who valued the publicity of the NSA's wrongdoings over his own safety, but that doesn't mean he never did anything untoward himself.
But, to attack him by essentially asserting that the staff of the NSA have no concept of computer security? Talk about a pyrrhic victory, even if it achieves its intended results, which is highly doubtful.
[ link to this | view in chronology ]
As a sysadmin sometimes you don't even have to ask for passwords
[ link to this | view in chronology ]
Simply getting passwords from other employees in the course of business of being a system admin, or as a social engineering attack, makes much more sense.
[ link to this | view in chronology ]
Too Common to Fact Check
When I was in security, the ease with which I could get passwords...especially from people who never met me before...was breath taking. Over the years I found some ways to improve password related security slightly, but only very slightly.
Not only is this very likely to be true in the NSA's case... it is also very likely that you or any random person who could get next to an NSA employee could get the same information.... by asking for it. Obviously it won't be every single employee... but the more you ask, the greater the odds one will just hand it over.
Security is always about the weakest link. It's also always about people, not technology. I'm fairly sure almost all NSA employees are humans, so there you are.
In this case, it also appears that just about everyone with a leadership position in our Federal government has a combination of ignorance and arrogance regarding technology that real security may be history now.
Of this I am certain: Whatever is officially announced can be discounted immediately for one reason or the other. That can at least save a little time.
[ link to this | view in chronology ]
P*iss poor network security practices
Why are they not using CAC cards like the military?
Why are they not using some other form of multi-factor authentication?
Yeah, we should all feel so much better about NSA collecting data on all Americans.
[ link to this | view in chronology ]
What makes you think the government employees working for the NSA are any more knowledgeable about passwords than any other employees? They're just government employees.
[ link to this | view in chronology ]
I am more inclined to believe that he managed to gather some consensus with his peers that bad things were happening and, that something had to be done, and chose to be the hero (or drew the short straw). With their approval.
What I am trying to say is that people voluntarily gave him their passwords, knowing full well what he intended to do, and agreed that when they were asked about it, they would say "He tricked me! He's a bad, bad man.".
It's crazy, but makes more sense than having NSA (National Security Agency) agents handing over their passwords to people, with complete disregard to standard operational procedures in effect on any company.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
My workplace is more secure, huh?
I know of one case where someone was fired for doing this -- they gave a password to a coworker out of convenience (standing in for them at a meeting) and the coworker filed a security incident report.
We have established procedures to cover the cases where password-sharing might be tempting, so emergencies can be handled without breaching security. There is never a real reason to give your password to anyone.
In other words, apparently my workplace is more secure than the freaking NSA. The mind boggles.
[ link to this | view in chronology ]
NSA Password protection 101
[ link to this | view in chronology ]
Authoritarian Security is Horrible
This leads to all sorts of infamous Bavarian fire drills like dressing up as a captain and stealing the town's treasury. This is also why trading liberty for security is fundamentally a lie. Liberty /is/ security against stunts like this.
[ link to this | view in chronology ]
A sys admin is the authority in most companies
It goes back to the fact that sys admins are an authority figure in most companies, which means people will give them their login information without thinking about it. After all, it's the company's property and the company's computer, so why shouldn't the employees let the sys admin have their login information? Do employees have any right to privacy on their work computers while in the office? If not, then why is this even a story?
Because it's yet another non-story to distract from the larger issue. And if the NSA can discredit Snowden as a "password thief" then less people may believe what he has to say.
As tech-savvy people, we should get the word out that sharing passwords with the sys admin is very common.
[ link to this | view in chronology ]
Re: A sys admin is the authority in most companies
Because the reason you don't give your password to anybody (even the admins) is not to protect your privacy. It's to enhance the security of your employer's systems. Most people don't use a different password for every system or service that requires a password. If someone has the password for one account, they probably have the password for other accounts they have no business accessing.
Rules against giving out your passwords help to reduce the damage from this.
It's a story because the fact that NSA employees give out their passwords so readily is a major security problem of the sort that one would expect an agency like the NSA to not have.
[ link to this | view in chronology ]
Snowden was the IT guy. Of course people gave him passwords. I worked in IT and it was common to be given a password to work on fixing something or setup of a new machine, often times people actually requested I did not set their account to require a new password on the next login when I finished. Bad security practice? Hell yeah. People pleaser? Hell yeah. People who aren't directly invested in security absolutely feel complexity requirements and other practices are arbitrary, they don't understand. NSA would have similarities to people not in NSA who have IT needs. Even if all machines were a preconfigured imaged, there would still be things where something is broken, the IT guy is called, and the computer possessor has other work duties to perform. IT guy and office worker don't want office worker hanging around, bored while IT figures out the issue, so they make the deal of trading password so they both can focus on their work. Snowden was a vetted co-worker. Its not like he just appeared one day claiming to be someone he wasn't. He didn't infiltrate the NSA under false pretenses with the goal of fraudulently justifying his presence there, they employed him in the IT department, so people naturally lowered their barriers around him. Going forward, yeah there definitely will be more paranoia within the office rather than simply being directed outward. Especially when it means your job. This might be a good thing for those of us hoping for more problems for the NSA to deal with.
[ link to this | view in chronology ]
More NSA FUD
Second, the NSA has a history of making up stories in which they try to show they are reliable defenders rather than fascist scavengers. One way would be to say "it's not us, it's them", in this case admins merely doing their job.
To me, this story is bogus, with the express purpose of making Snowden look like he was doing illicit things, and the NSA being virtuous victims. I think they are throwing innocent people under the bus, to make themselves look good.
[ link to this | view in chronology ]
Re: More NSA FUD
Then it fails, because this story makes the NSA look incredibly incompetent rather than like "virtuous victims".
[ link to this | view in chronology ]