You'd Think NSA Employees Would Know Better Than To Hand Out Their Passwords, But Many Gave Them To Snowden

from the nsa-is-trustworthy? dept

In the latest bizarre news concerning the Snowden leaks, Reuters is reporting that Ed Snowden was able to convince a number of NSA employees to give him their login info, which helped him access a lot of the content. Of course, this differs from earlier reports, which had suggested that, as a sys admin, he'd simply been able to login as other employees.
A handful of agency employees who gave their login details to Snowden were identified, questioned and removed from their assignments, said a source close to several U.S. government investigations into the damage caused by the leaks.

Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator, a second source said.
What fascinates me about this is the idea that if you were working for the NSA, wouldn't you know to never give out your password to anyone, ever? It just seems like basic common sense (also: if you were one of those 20 to 25 people, I'd imagine that as soon as Snowden's name came out, you were sweating bullets). You'd think that NSA employees wouldn't do that sort of thing.

And, once again, what this brings us back around to is the simple fact that NSA employees are humans and sometimes they do the wrong thing. That is why the surveillance program is so worrisome. Keith Alexander and others can insist that there were only a small number of abuses, but all the data actually showed is that the NSA only caught a small number of abuses. It's quite likely that many more have happened, and continue to happen. The fact that it's apparently not that difficult to get NSA employees to cough up their login info shows that for all the talk of careful review, audits, limits and security -- humans remain a very weak link, and there are all sorts of ways to get at information even if the NSA believes it's locked down and carefully monitored.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ed snowden, humans, nsa, nsa surveillance, passwords, secrecy, sharing


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Jay (profile), 8 Nov 2013 @ 3:54am

    My suggestion

    I'm reading this story and I have to wonder. Why do these people continue to believe the information is safe and secure?

    The fact that it's apparently not that difficult to get NSA employees to cough up their login info shows that for all the talk of careful review, audits, limits and security -- humans remain a very weak link, and there are all sorts of ways to get at information even if the NSA believes it's locked down and carefully monitored.


    Okay. Here's my suggestion for this. If you all want that information, you have to watch it 24-7. It's that simple. We get Diane Feinstein, James Clapper, Keith Alexander, and anyone else supporting this into the big room to make SURE it's safe. They remove all suspicion when they're the ones being monitored with this and can show how all the info is under lock and key. They go through each step. Bit by bit.

    They remain in the room to show us how this can help save lives. They remain in that one room to maintain national security.

    That's my suggestion. You keep them in the room with the information that they have to watch. No senatorial duties, no general duties, and no administrative duties. They just watch the information for national security.

    Meanwhile, we can fix the problems they brought up by making these programs much more secure and transparent. They can look, they just can't touch.

    How's that sound?

    link to this | view in chronology ]

    • icon
      Anonymous Howard (profile), 8 Nov 2013 @ 7:01am

      Re: My suggestion

      How's that sound?

      Let me propose a counter-offer:

      Lock the above mentioned persons in a work camp for lifetime, to pay back the tax money they wasted on these programs.

      Dismantle the NSA, CIA and a few other shady agencies, and use the money for really useful things, like paying back the trillions $ debt the USA in.

      Use the NSA facilities to test orbital bombardment.

      link to this | view in chronology ]

  • icon
    Ninja (profile), 8 Nov 2013 @ 3:55am

    I'll bet that at least one had a password in the realm of 123456 or the likes. There is no end to human stupidity (and yes I'm pointing at you and including myself in), every once in a while we do stupid things regardless of how seasoned, experienced or smart we are.

    Which only emphasizes and reinforces the point made in the last paragraph. If we ignore the cynic in us, it's much much better to have focused efforts than throwing such broad, deep net. If screw ups happen you won't be compromising the entirety of the population.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Nov 2013 @ 6:33am

      Re:

      Probably not that simple, as it's pretty trivial to enable the forced password complexity requirement. Of course on the flip side, Password1 would meet most common complexity requirements.

      link to this | view in chronology ]

  • icon
    RyanNerd (profile), 8 Nov 2013 @ 5:15am

    I think most of NSA passwords are probably...

    link to this | view in chronology ]

  • icon
    That One Guy (profile), 8 Nov 2013 @ 5:19am

    Brilliant, just brilliant

    Their 'awesome' security was broken by the easiest(yet funnily enough the most effective) method of getting into secure systems: talking someone in the company into letting you in.

    If he was able to get 20-25 people to hand over their login information, the idea that the systems are even remotely secure is a joke, as if one person can do that, others can do the same, and all it takes is a single person to 'helpfully' give access to someone(who maybe 'forgot their password', or 'are having trouble logging in') for the entire thing to be compromised.

    link to this | view in chronology ]

  • icon
    Zakida Paul (profile), 8 Nov 2013 @ 5:21am

    It never ceases to amaze me how stupid people are when it comes to passwords. Working in front line IT, I see my share of it. You would be amazed how many people, when asked for their log on ID, give me their password; and how many of those passwords are ridiculously easy to guess.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Nov 2013 @ 5:54am

      Re:

      Don't worry, passwords had a good run, they are not useful anymore, they are a speed bump not a strong security feature unless your password is random and long which nobody will remember.

      Strangely enough, paperkeys are probably the next cutting age ubber secure method of creating authentication, since you can print it or change them easily and use them with NFC(Near Field Communication) to exchange long cryptographic keys, which is not optimal for high security obviously, you would want something optical and not using radio waves still either by using optics(camera, lasers , infrared etc) or radio waves(NFC, bluetooth) to capture a cryptographic key that can be regenerated after every use, be longer and easier to use than having to remember a long alphanumeric string, then type it in and only change it every six months.

      There was a time I though people who used weak passwords were dumb, now I can see that the problem was the user interface not the user.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Nov 2013 @ 11:28am

        Re: Re:

        Passwords were great when you needed 3

        Now i have hundreds...

        link to this | view in chronology ]

      • icon
        John Fenderson (profile), 8 Nov 2013 @ 12:12pm

        Re: Re:

        Passwords are still incredibly useful and will remain so for a very, very long time. Yes, they can be a weakness when used improperly, but a replacement that has similar strengths hasn't been invented yet.

        The problem with the replacements (something you have and something you are) is that they can get lost and they can get changed. If something is password protected, then I can always access it as long as my memory works.

        The problem with passwords is people, not the passwords -- and people will find a way to misuse any security scheme, password based or not.

        Passwords are, of course, imperfect and not suitable for all security problems. However, the same is true for literally every other scheme. Passwords aren't going away because they fill a need nothing else will.

        link to this | view in chronology ]

    • identicon
      AG, 9 Nov 2013 @ 11:32pm

      Re:

      My employer has actually made it their policy that you must give your password to IT if asked for it.

      I explained to them just how stupid this was, but they're as dumb as a bag of hammers.

      link to this | view in chronology ]

      • icon
        qyiet (profile), 11 Nov 2013 @ 11:40am

        Re: Re:

        I'm IT for my company, and I will ask you to enter your password. I'll never ask you to tell me your password.

        If for some business reason I need to act as you I'll reset your password, and tell you as soon as you are available. (presumably you are not available). I'd be very suspicious of any IT department that has a different policy.

        Some users are very hard to dissuade from telling you their passwords "It doesn't matter it's just ....". I try very very had to stop them from telling me that.. I don't even want to know HOW they create their passwords.

        I understand how users get confused though. We had one user return from working for another company overseas recently. Apparently their IT dpt wouldn't let them even SET their own passwords because 'Then how would I use your computer if you are not there'. If their IT demands terrible practices like that how are users supposed to know better?

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Nov 2013 @ 5:39am

    You know it is my experience that subordinates emulate their bosses most of the time, how much anyone wants to bet that Keith's secretary have all his passwords?

    link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 8 Nov 2013 @ 5:45am

    So the great Snowden is just a conman !

    Is simply a simpleton CONMAN !!!

    Clearly he is not a person who in the NORMAL COURSE OF HIS WORK, found things that he felt were not right, he actively engaged in criminal activity to "DIG THE DIRT", and is much different.

    You consider him a hero anyway, when all he is, is a common criminal, conman, and someone who set out to find this information, he did not come across it in the course of his job.. he is the very definition of a scumbag.

    A lot of people will see this for what it is, and demote him from HERO to ZERO !!!.
    I had him pegged as a zero from the start I have to admit, as has most others.

    No technical expertise, just a lie and away you go.

    link to this | view in chronology ]

    • icon
      That One Guy (profile), 8 Nov 2013 @ 6:15am

      Re: So the great Snowden is just a conman !

      I had him pegged as a zero from the start I have to admit, as has most others who automatically assume the government is always right.

      You left out a few words there, added for accuracy.

      Outside of those that are having their illegal actions exposed, most people see a person who risked the ire of a country not known for it's self control, all to expose illegal or quasi-legal actions of the government to the people it's supposed to be representing as anything but a 'zero'. 'Hero' depends on who you talk to, but 'Patriot' I'd say is a given for someone who risked everything to protect what the country is supposed to stand for, rather than just following the corrupt individuals attacking core rights as set forth by the founders of the country.

      Also, might want to give the following page a read through, see if any of it seems familiar.

      http://en.wikipedia.org/wiki/Confirmation_bias

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Nov 2013 @ 5:54pm

        Re: Re: So the great Snowden is just a conman !

        I'm sure you meant parasite not patriot, and no I do not assume the Government is always right, or good or honest.
        Nor do I assume like TD that the "Government is EVIL" either.

        But I KNOW Snowden is not honest, truthful, smart or anything but a common criminal, and a fool.

        I depends on what they are specifically doing, not what or who they are.
        You can talk about specifics about Snowden, as he is one person, you simply cant do that with the Government.

        The US Government is more right that Snowed is ever right, yes the Government might do things I don't agree with, but how is the Government doing anything worse by spying to keep the US safer, as opposed to Snowden spying to make a name for himself?

        NSA don't say things, so by definition they don't lie, Snowden spies, lies and says what he has done, (or is lying).

        So either way, Snowden is a scumbag, and the Government is more right that wrong.

        Snowden is the scumbag spy who spies for his own gains and profit.
        Government is the spying to help keep people safe, what is Snowden's motive to lie and steal ?

        link to this | view in chronology ]

        • icon
          That One Guy (profile), 9 Nov 2013 @ 1:00am

          I'm sure you meant parasite not patriot, and no I do not assume the Government is always right, or good or honest.

          Nope, I'm pretty sure I meant patriot, as in 'a person who regards himself or herself as a defender, especially of individual rights, against presumed interference by the federal government.'*

          Also your own comment below shows that you do in fact 'assume the government is always right', as you claim both that the government is 'more right than Snowden' in one place and that you can't talk about(and therefor understand), the actions of the government due to it's size.

          So if you can't discus or judge the government due to how vast it is, yet still claim that it is 'good, right and honest', then you are in fact merely assuming that it is so.

          But I KNOW Snowden is not honest, truthful, smart or anything but a common criminal, and a fool.

          And this statement is based upon what then?

          Also, you do realize I hope, that assuming that was true, it would mean the NSA hired, and gave a very important position to, a 'common criminal and a fool', hardly helping your argument, right?

          You can talk about specifics about Snowden, as he is one person, you simply cant do that with the Government.

          Except yes, you can. When specifics of what the government has been doing are made public you can very much talk about, and make judgements on, those actions.

          but how is the Government doing anything worse by spying to keep the US safer, as opposed to Snowden spying to make a name for himself?

          Well except their actions aren't designed to make the US safer(or if they are, they're doing a terrible job of it).

          Spying on 300+ million americans, millions of people in other counties, and the most they had to show for it was 54 cases(not court cases mind, for some reason despite the severity of the accusations, the accused never seem to make to a court to be tried, and where they could challenge the accusations), all but one of which were dealt with via regular, legal investigations, and that last one was nothing more than a transfer of funds, and even then was only 'possibly' decided by the NSA's spying.

          Meanwhile, their actions have massively damaged the US's relations and standing with other countries, severely weakened online and electronic encryption(making things worlds easier for criminals other than just the NSA), made an absolute joke out of the idea of 'justice' with secret courts, secret laws, and secret rulings, shown a complete disregard or active contempt of people's right to privacy and the 4th amendment... how is any of that supposed to have helped the US?

          As for 'Snowden spying to make a name for himself'? The US made him more well known and famous than anything he could have ever done, by going so completely insane over his actions, including grounding a foreign head of state's plane because Snowden might have been on board.

          Had they not reacted in such an over the top manner, people wouldn't be paying nearly as much attention to the matter, but by going so overboard, they made it abundantly clear that they were desperate to keep hidden what was being revealed.

          NSA don't say things, so by definition they don't lie, Snowden spies, lies and says what he has done, (or is lying).

          I can only assume you haven't been paying attention the past few months, as if you had you'd have seen that the NSA has been saying a whole lot regarding what they (supposedly) have and have not been doing, and almost every single time evidence has come out proving that they lied. To claim that they not only haven't said anything, but that they haven't lied, constantly, shows a massive amount of willful blindness.

          As far as lies by Snowden, by all means, if you've got some evidence he lied about something even remotely as big as what the NSA has been lying about, please share.

          So either way, Snowden is a scumbag,

          According to you.

          and the Government is more right that wrong.

          Again, according to you.

          Snowden is the scumbag spy who spies for his own gains and profit.

          And those gains and profit would be...?

          If he was really in it for the money, he wouldn't have told the world what he had done(keep in mind the NSA only found out about his actions because he told them), and he wouldn't have handed the files he'd gotten to a bunch of reporters. Instead he would have sold them to a foreign government(several probably), and retired to a nice house at some remote, probably tropic location.

          Government is the spying to help keep people safe

          Makes a nice sound-bite, but is anything but the truth as I mention above, and while they may have originally been spying to keep the US safe, they've gone completely overboard, and these days they spy simply because they wish to and can.

          what is Snowden's motive to lie and steal ?

          How about informing the US public that the government, which is supposed to be representing and protecting the rights of the citizens, is instead violating those very rights, and doing things that the public would very much object to should they find out about it, that seem like a good enough motive?

          *Dictionary.com, second definition if you're curious.

          link to this | view in chronology ]

        • icon
          PaulT (profile), 9 Nov 2013 @ 1:26am

          Re: Re: Re: So the great Snowden is just a conman !

          "the Government (is) spying to keep the US safer"

          I bet you're stupid enough to believe this too.

          link to this | view in chronology ]

        • identicon
          Anonymous Coward, 9 Nov 2013 @ 9:08am

          Re: Re: Re: So the great Snowden is just a conman !

          darryl just loathes it when due process is enforced.

          link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      Anonymous Coward, 8 Nov 2013 @ 6:22am

      Re: So the great Snowden is just a conman !

      So you're fine with the NSA being staffed by people idiotic enough to freely give their passwords to a person you consider a conman.

      Okay then, Mr. Solar Panel Fucktard.

      darryl just loathes it when due process is enforced.

      link to this | view in chronology ]

      • icon
        That One Guy (profile), 8 Nov 2013 @ 6:28am

        Re: Re: So the great Snowden is just a conman !

        Try not to sink to their level with the swearing and personal insults, you'll get reported just the same as them, and rightly so.

        link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 8 Nov 2013 @ 5:54am

    I am also guessing Mr Masnick you yourself have never worked as a "sys admin" because if you had you would know there are situations where you have to either get the user/pass or have that person log you in, otherwise you simply cannot do your job. A professional would ask the user to create a new login for the maintenance if he did not want to hang around and log in each time for you.

    Clearly Snowden is not someone to be trusted with anything related to the truth, if he can lie to his co-workers to access their files for his own gains, he can lie about what he claimed to find.

    He is no hero in my books, and clearly no technical wiz who saw things he did not like and spoke out about it, he is a common criminal who lied and went looking in other people business, a deliberate act, a criminal act and one intended to be self serving.

    So now we can computer fraud to the ever growing list of him crimes.

    I understand you posted this to try to make snowden look better and NSA look worse, it's a shame you've achieved the opposite effect..

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Nov 2013 @ 6:18am

      Re:

      Suppose you are and admin(which I hope your are not) and one of your users forgets or lose his/hers password, what then?

      link to this | view in chronology ]

    • icon
      Rapnel (profile), 8 Nov 2013 @ 7:59am

      Re:

      Here's where I have to disagree with That One Guy because there are so, so many levels to your fucktardianess that sinking to any of them would be a rather challenging objective.

      No competent system administrator could ever possibly need other access credentials apart from what they already have and in the off chance that they do need more it's definitely not for Mr. Desk Jockey's creds.

      The truth? Are you fucking present? Hello?? Do you think that there are only 25 useless idiots in the pool of 300 thousand or so? (clearly you're not lonely)

      The NSA, which is charged with protecting the country and the means, methods and communications therein, was socially engineered resulting in a significant breach to security which also resulted in the dissemination of highly questionable activities to the public. Anyone reading "your books" is wasting their fucking time. Mr. Snowden did you and *billions* of other people a pretty hefty fucking favor. This guy was hacking in the interests of people and his country with the "buck stops here" integrity the U.S. Constitution demands. The security and law enforcement apparatus of the English speaking world is rogue. And being that Mr. Snowden was working in the public interest how hard do you think it is to hack the NSA for private gain?

      There there now, soon you'll be all grown up and going to school and you won't need your daddy anymore then will you, darling?

      link to this | view in chronology ]

    • icon
      PaulT (profile), 8 Nov 2013 @ 8:35am

      Re:

      Wow, I missed this but thanks to Rapnel's post pointing this idiocy out.

      "A professional would ask the user to create a new login for the maintenance if he did not want to hang around and log in each time for you."

      A professional would either use his own admin account or alter the user's permissions to allow access to whatever's needs. WTF are you doing making a secondary account for a user just to access something? Why doesn't their standard account have those permissions? Either you're talking of a program needing elevated rights or something screwy with a bespoke app, but you shouldn't be logging a user in multiple times to fix these problems.

      In fact why the hell would you need the user at all unless it's to get them to show you something or unlock their PC? Why is a professional sys admin having to defer to a standard user's account in order to do his work? Please feel free to name the situation where someone with admin rights would need a user to log in for you "each time", let alone one that requires you to know their password. Please. There are some situations I can think of, but they tend to fall under the category of "the admin is too lazy/incompetent to use a different method).

      link to this | view in chronology ]

    • icon
      John Fenderson (profile), 8 Nov 2013 @ 9:15am

      Re:

      there are situations where you have to either get the user/pass or have that person log you in, otherwise you simply cannot do your job.


      No. Just no. That should never be necessary. If it really is where you work, then the real problem is that your system is broken and needs to be fixed.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Nov 2013 @ 5:55am

    Security is miserable EVERYWHERE

    Those of us who've worked in the field for a long time know this. Doesn't matter whether it's the NSA or Google, an ISP or a web host, IBM or Joe's Donut Shop: it's miserable.

    Go read Marcus Ranum's "The Six Dumbest Ideas in Computer Security", then compare it to many security strategies, and note how many people have -- astonishingly -- made those six dumb ideas the cornerstone of their security policy.

    Of course if you point out their error, they won't admit it. They won't admit even when some junior system administrator walks out the door with the keys to the kingdom. They'll deny, lie, bluff, everything but admit they're wrong.

    link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    out_of_the_blue, 8 Nov 2013 @ 6:02am

    You have lost the plot, Mike. -- And NSA goes on SPYING.

    How Snowden got passwords -- or didn't -- is irrelevant. You have nothing but report of unnamed "source" to go on, and as one AC gleefully jumps on above, this serves to discredit Snowden besides take focus off NSA. So this is almost certainly an official NSA "leak". -- And from start, Snowden is implicitly discredited by being a fugitive from justice, which well serves NSA purpose IF were all as I still believe, a limited hangout psyop.

    That NSA is spying on everyone 24/7 -- just like Google -- is the only relevant and unquestionably true fact to concern with. The rest is either intended obfuscation or entirely incidental.

    Just call for INDICT, TRY, and JAIL the already known criminals.

    Google. Making your life better by spying right up to the creepy limit. (tm) -- And soon as you're used to it, we get creepier!

    02:01:20[c-2-2]

    link to this | view in chronology ]

    • icon
      That One Guy (profile), 8 Nov 2013 @ 6:25am

      Re: You have lost the plot, Mike. -- And NSA goes on SPYING.

      ...by being a fugitive from justice

      'Justice'... from a seriously mad US government that has proven multiple times it has no problem doing everything it can do destroy or discredit those that make it look bad...

      Yeah, he's no more a 'fugitive from justice' for doing everything he can to stay out of the reach of the US than someone is 'paranoid' for not wanting to walk in front of a firing line for fear of being shot. Both cases are indications of common sense and sanity, not ill intent or nefarious thinking.

      link to this | view in chronology ]

      • identicon
        out_of_the_blue, 8 Nov 2013 @ 6:37am

        Re: Re: You have lost the plot, Mike. -- And NSA goes on SPYING.

        @ 'Justice'... from a seriously mad US government


        KNEW should have put quotes around it as you do. Nonetheless it's true even if the US gov't is insane (as I assume is your use of "mad").

        link to this | view in chronology ]

        • icon
          That One Guy (profile), 8 Nov 2013 @ 6:42am

          Re: Re: Re: You have lost the plot, Mike. -- And NSA goes on SPYING.

          Crazy works too(though mostly in the 'power mad' sense), but I was more referring to how angry they are with him for having their dirty laundry aired out in public like this, and even then 'mad' is most certainly understating it, given some of the comments and accusations they've slung his way.

          link to this | view in chronology ]

        • identicon
          Anonymous Coward, 10 Nov 2013 @ 7:58pm

          Re: Re: Re: You have lost the plot, Mike. -- And NSA goes on SPYING.

          out_of_the_blue just hates it when due process is enforced.

          link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Nov 2013 @ 6:03am

    You'd think of any organization that would make sure their employees were savvy to social engineering (that most successful method of breaking security), even when done by an insider, it would be the NSA.

    And yet...

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Nov 2013 @ 6:05am

    And has this info been fact-checked by Reuters?

    If yes, how? by asking the oh-so-trustworthy NSA?

    link to this | view in chronology ]

  • icon
    Shawn H Corey (profile), 8 Nov 2013 @ 6:28am

    Who said this? NSA? The TLA that repeatedly lied to its own bosses? Looks like a NSA witch-hunt to me.

    link to this | view in chronology ]

    • icon
      That One Guy (profile), 8 Nov 2013 @ 6:37am

      Re:

      Quite possibly, after all it wasn't too long ago that a story was put out saying that Snowden was disciplined before this whole mess for hacking into a system, which not only appeared to be tailor made as a character assassination piece, but was also proven to be bogus not long after it came out.

      link to this | view in chronology ]

      • icon
        PaulT (profile), 8 Nov 2013 @ 7:14am

        Re: Re:

        It would be hilarious if it's meant to be a hit piece.

        Regardless of the accusations by the defenders of the NSA here, I don't think anyone thinks that Snowden is a perfect angel who never did anything wrong. He may be lauded as someone who valued the publicity of the NSA's wrongdoings over his own safety, but that doesn't mean he never did anything untoward himself.

        But, to attack him by essentially asserting that the staff of the NSA have no concept of computer security? Talk about a pyrrhic victory, even if it achieves its intended results, which is highly doubtful.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Nov 2013 @ 6:32am

    As a sysadmin sometimes you don't even have to ask for passwords

    In order to get some programs working using a restricted account. I would sometimes need them to login to see what files/registry keys were getting access denied (usually only if my own restricted account wasn't experincing the issues). I'd then log in with my admin account and change permissions as needed. The person didn't always want to stick around and would offer there user id and password without asking, so that they could go do other things... I always told them it was against company policy to share passwords... but it made me wonder who else they might be sharing with...

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Nov 2013 @ 6:42am

    Yeah, this makes a lot more sense. The thing I always doubted about "he was able to log in as them because he was an admin" is that he'd still need their password. Otherwise every time he logged in as someone, they'd be forced to reset their password as the only reasonable way for him to get access would be to reset their password, which he would be unable to set back not knowing the original password.

    Simply getting passwords from other employees in the course of business of being a system admin, or as a social engineering attack, makes much more sense.

    link to this | view in chronology ]

  • icon
    Aztecian (profile), 8 Nov 2013 @ 7:15am

    Too Common to Fact Check

    Regardless of any later results that a fact check might produce (if we can determine which lie to disbelieve the least) the password thing is so common it is the easiest to believe.

    When I was in security, the ease with which I could get passwords...especially from people who never met me before...was breath taking. Over the years I found some ways to improve password related security slightly, but only very slightly.

    Not only is this very likely to be true in the NSA's case... it is also very likely that you or any random person who could get next to an NSA employee could get the same information.... by asking for it. Obviously it won't be every single employee... but the more you ask, the greater the odds one will just hand it over.

    Security is always about the weakest link. It's also always about people, not technology. I'm fairly sure almost all NSA employees are humans, so there you are.

    In this case, it also appears that just about everyone with a leadership position in our Federal government has a combination of ignorance and arrogance regarding technology that real security may be history now.

    Of this I am certain: Whatever is officially announced can be discounted immediately for one reason or the other. That can at least save a little time.

    link to this | view in chronology ]

  • identicon
    FedUp, 8 Nov 2013 @ 7:18am

    P*iss poor network security practices

    Humans are always the weakest link. So, for all the money and technology the NSA has available they are only using password authentication to protect their own network? What a bunch of idiots.

    Why are they not using CAC cards like the military?
    Why are they not using some other form of multi-factor authentication?

    Yeah, we should all feel so much better about NSA collecting data on all Americans.

    link to this | view in chronology ]

  • identicon
    Hans, 8 Nov 2013 @ 7:58am

    "What fascinates me about this is the idea that if you were working for the NSA, wouldn't you know to never give out your password to anyone, ever?"

    What makes you think the government employees working for the NSA are any more knowledgeable about passwords than any other employees? They're just government employees.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Nov 2013 @ 8:28am

    You people are assuming that Snowden somehow "tricked" people to give him the passwords.

    I am more inclined to believe that he managed to gather some consensus with his peers that bad things were happening and, that something had to be done, and chose to be the hero (or drew the short straw). With their approval.

    What I am trying to say is that people voluntarily gave him their passwords, knowing full well what he intended to do, and agreed that when they were asked about it, they would say "He tricked me! He's a bad, bad man.".

    It's crazy, but makes more sense than having NSA (National Security Agency) agents handing over their passwords to people, with complete disregard to standard operational procedures in effect on any company.

    link to this | view in chronology ]

    • icon
      PaulT (profile), 8 Nov 2013 @ 8:37am

      Re:

      Irrrlevant. Either he fooled some NSA employees to give him their passwords or he conspired with them. Either way, the NSA failed at retaining a basic state of security, and the result is the same. Incompetent or corrupt - same difference.

      link to this | view in chronology ]

  • icon
    John Fenderson (profile), 8 Nov 2013 @ 9:09am

    My workplace is more secure, huh?

    Where I work, giving your passwords out to anyone -- your coworker, your manager, the CEO, anyone -- is grounds for immediate firing. People take this very seriously here.

    I know of one case where someone was fired for doing this -- they gave a password to a coworker out of convenience (standing in for them at a meeting) and the coworker filed a security incident report.

    We have established procedures to cover the cases where password-sharing might be tempting, so emergencies can be handled without breaching security. There is never a real reason to give your password to anyone.

    In other words, apparently my workplace is more secure than the freaking NSA. The mind boggles.

    link to this | view in chronology ]

  • icon
    RyanNerd (profile), 8 Nov 2013 @ 9:55am

    NSA Password protection 101

    Apparently never communicated or required.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Nov 2013 @ 2:51pm

    Authoritarian Security is Horrible

    Really this should come as no surprise. Authoritarians love argument ad bacculum and their orders being unquestioned. So it is easy for a social engineer to appropriate their authority and use it against them. When they're too afraid to question their orders to do anything they're easier to hijack than an unlocked car with the keys left in the passenger seat.

    This leads to all sorts of infamous Bavarian fire drills like dressing up as a captain and stealing the town's treasury. This is also why trading liberty for security is fundamentally a lie. Liberty /is/ security against stunts like this.

    link to this | view in chronology ]

  • icon
    John85851 (profile), 8 Nov 2013 @ 3:10pm

    A sys admin is the authority in most companies

    This seems like it should be a story on computer security not a story on Snowden.

    It goes back to the fact that sys admins are an authority figure in most companies, which means people will give them their login information without thinking about it. After all, it's the company's property and the company's computer, so why shouldn't the employees let the sys admin have their login information? Do employees have any right to privacy on their work computers while in the office? If not, then why is this even a story?

    Because it's yet another non-story to distract from the larger issue. And if the NSA can discredit Snowden as a "password thief" then less people may believe what he has to say.

    As tech-savvy people, we should get the word out that sharing passwords with the sys admin is very common.

    link to this | view in chronology ]

    • icon
      John Fenderson (profile), 11 Nov 2013 @ 9:42am

      Re: A sys admin is the authority in most companies

      Do employees have any right to privacy on their work computers while in the office? If not, then why is this even a story?


      Because the reason you don't give your password to anybody (even the admins) is not to protect your privacy. It's to enhance the security of your employer's systems. Most people don't use a different password for every system or service that requires a password. If someone has the password for one account, they probably have the password for other accounts they have no business accessing.

      Rules against giving out your passwords help to reduce the damage from this.

      It's a story because the fact that NSA employees give out their passwords so readily is a major security problem of the sort that one would expect an agency like the NSA to not have.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Nov 2013 @ 10:34pm

    I hate the NSA as much as the next Techdirt commentator, but this is a little bit silly to act like this is shocking. Maybe the readers of pro-govt media actually still believe that NSA or gov't employees in general are somehow above taking shortcuts, but those of us with IT experience should know better:

    Snowden was the IT guy. Of course people gave him passwords. I worked in IT and it was common to be given a password to work on fixing something or setup of a new machine, often times people actually requested I did not set their account to require a new password on the next login when I finished. Bad security practice? Hell yeah. People pleaser? Hell yeah. People who aren't directly invested in security absolutely feel complexity requirements and other practices are arbitrary, they don't understand. NSA would have similarities to people not in NSA who have IT needs. Even if all machines were a preconfigured imaged, there would still be things where something is broken, the IT guy is called, and the computer possessor has other work duties to perform. IT guy and office worker don't want office worker hanging around, bored while IT figures out the issue, so they make the deal of trading password so they both can focus on their work. Snowden was a vetted co-worker. Its not like he just appeared one day claiming to be someone he wasn't. He didn't infiltrate the NSA under false pretenses with the goal of fraudulently justifying his presence there, they employed him in the IT department, so people naturally lowered their barriers around him. Going forward, yeah there definitely will be more paranoia within the office rather than simply being directed outward. Especially when it means your job. This might be a good thing for those of us hoping for more problems for the NSA to deal with.

    link to this | view in chronology ]

  • icon
    Gene Cavanaugh (profile), 9 Nov 2013 @ 2:27pm

    More NSA FUD

    First, admins often need access to other systems to get their work done, and the work is made difficult by denying it.

    Second, the NSA has a history of making up stories in which they try to show they are reliable defenders rather than fascist scavengers. One way would be to say "it's not us, it's them", in this case admins merely doing their job.

    To me, this story is bogus, with the express purpose of making Snowden look like he was doing illicit things, and the NSA being virtuous victims. I think they are throwing innocent people under the bus, to make themselves look good.

    link to this | view in chronology ]

    • icon
      John Fenderson (profile), 11 Nov 2013 @ 9:45am

      Re: More NSA FUD

      To me, this story is bogus, with the express purpose of making Snowden look like he was doing illicit things, and the NSA being virtuous victims.


      Then it fails, because this story makes the NSA look incredibly incompetent rather than like "virtuous victims".

      link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.