NSA's Latest Euphemism For Security Lapses That Allowed Snowden Leaks: The Leaks Were 'Masked By His Job Duties'

from the in-other-words,-it-was-not-secure dept

We've already covered a few times how, despite the NSA's (and its defenders') repeated claims that its systems can't be abused because of its vaunted "auditability," the fact that Snowden got access to all those documents without anyone being able to figure out what he took shows that the audits don't work. It became clear that the audits appear to only apply to analysts, but not sys admins like Snowden, and there are around 1,000 of those, leading to the obvious question: how many others also got classified info without anyone noticing it? One officials has tried to make it out that Snowden was "too brilliant" to work for the NSA, since he covered his tracks. While every indication is that Snowden was, in fact, quite good at his job, and able to cover his tracks well, it's not at all clear that what he did was particularly unique or special.

In fact, the latest spin from the NSA is to claim that he wasn't that "gifted" at all, but rather than the leaks were "masked by his job duties."

"His job was to do what he did. He wasn't a ghost. He wasn't that clever. He did his job. He was observed [moving documents], but it was his job."

That report also quotes the NSA's CTO as saying that now, about four months later, the NSA finally has a "good idea" of what Snowden got:

"We have an extremely good idea of exactly what data he got access to and how exactly he got access to it," says the NSA's chief technology officer, Lonny Anderson.

Only took four months. Of course, all of this, once again, raises all sorts of questions. It shows that the NSA's audits were basically non-existent for a very large number of people. It shows that the NSA has almost no legitimate way to go back and see if there were widespread abuses among others with similar "job duties." If it was his "job" to do these kinds of things, and there was no real way to track him without many months of work (and even then, only to the degree that the NSA has a "good idea" of what he did), then there's no real accountability there at all. At this point, it seems reasonable to use this to assume that the NSA's systems aren't even remotely secure, and have regularly been abused, without anyone at the NSA even knowing about it. After all, the NSA itself is admitting that someone doesn't even need to be "that clever" to abscond with tens of thousands of classified info on top secret programs and leave an almost non-existent trail.

Filed Under: accountability, audits, ed snowden, lonny anderson, nsa, nsa surveillance

1,000 Sys Admins Can Copy Any NSA Document Without Anyone Knowing About It; Think Only Snowden Did?

from the perfect-audits? dept

Following on our earlier story about how Ed Snowden covered his tracks -- showing that the NSA's vaunted "auditability" of its systems is a complete joke -- comes the news that there are approximately one thousand sys admins with Snowden's authority, who can basically go through any document without any trace. Even more incredible: they can "appear as" anyone else when doing things on the system. In other words if a sys admin wanted to frame an NSA analyst, it sounds like that would be quite easy. The report also notes that, for all of the talk about how great the NSA is at cybersecurity, and the fact that part of the point of CISPA was to try to have the NSA in charge of the nation's cybersecurity, the agency does a piss poor job protecting itself:

“It’s 2013 and the NSA is stuck in 2003 technology,” said an intelligence official.

Jason Healey, a former cyber-security official in the Bush Administration, said the Defense Department and the NSA have “frittered away years” trying to catch up to the security technology and practices used in private industry. “The DoD and especially NSA are known for awesome cyber security, but this seems somewhat misplaced,” said Healey, now a cyber expert at the Atlantic Council. “They are great at some sophisticated tasks but oddly bad at many of the simplest.”

That last sentence really means: "they are great at hacking stuff, but crap at protecting stuff."

As for the thousand or so sys admins on staff, it appears that they have no restrictions or tracking of what they do:

As a system administrator, Snowden was allowed to look at any file he wanted, and his actions were largely unaudited. “At certain levels, you are the audit,” said an intelligence official.

He was also able to access NSAnet, the agency’s intranet, without leaving any signature, said a person briefed on the postmortem of Snowden’s theft. He was essentially a “ghost user,” said the source, making it difficult to trace when he signed on or what files he accessed.

If he wanted, he would even have been able to pose as any other user with access to NSAnet, said the source.

Remember how the NSA at one point said that there were only 35 analysts who could run certain queries? And that all of the queries were tracked and audited. It seems they left out the thousand or so sys admins who could do whatever they wanted with no tracking at all. Does anyone honestly think that none of those sys admins ever was involved in a "LOVINT" situation? Or something much worse?

Oh, and people will remember that the NSA's new plan to "fix" this it to get rid of about 900 of those sys admins, rather than fix the actual problem. And, of course, if you know anything about how this stuff works, you'd know that the NSA probably can't actually automate away 90% of what its sys admins do.

So we're left with an agency that collects a ridiculous amount of info, and has around 1,000 employees (who are mostly actually employed by outside contractors) who can look through anything with no tracking, leaving no trace, and we're told that the data isn't abused. Really? Do Keith Alexander, James Clapper, President Obama, Dianne Feinstein and Mike Rogers really believe that none of those 1,000 sys admins have ever abused the system? And, do they believe that none of the people whom those thousand sys admins are friends with haven't had their friend "check out" information on someone else? Hell, imagine you were someone at the NSA who understood all of this already. If you wanted to abuse the system, why not befriend a sys admin and let him or her do the dirty work for you -- knowing that there would be no further trace?

Basically, it seems clear that the NSA has simply no idea how many abuses there were, and there are a very large number of people who had astounding levels of access and absolutely no controls or way to trace what they were doing.

Filed Under: audits, cybersecurity, ed snowden, keith alexander, nsa, nsa surveillance, security, sys admins

Ed Snowden Covered His Tracks Well; How Many Other NSA Staffers Did The Same?

from the gone-baby-gone dept

As we've seen, the NSA's story on "abuses" keeps changing. First there were no abuses at all, then there were a whole lot of abuses (but all unintentional) and now we know that there also were a bunch of intentional abuses. But here's the thing: these are only the abuses that the NSA caught. And, even then it's sketchy. As Marcy Wheeler has detailed, many of the "unintentional abuses" look like they were merely classified that way, when, in reality, they may have been intentional. Thanks to the magic of the NSA's special dictionary, they redefine abuses that exceed legal authority but are "performing the mission that the NSA wants them to perform" not as "abuses" but as "mistakes."

Either way, that only counts the abuses and "mistakes" that the NSA's audits discover. As we pointed out, it appears the NSA still has no idea what Ed Snowden took, which calls into question how good these so-called "audits" are. The latest reports coming out reveal that Snowden carefully bypassed or deleted the logs concerning his downloading actions:

The U.S. government's efforts to determine which highly classified materials leaker Edward Snowden took from the National Security Agency have been frustrated by Snowden's sophisticated efforts to cover his digital trail by deleting or bypassing electronic logs, government officials told The Associated Press. Such logs would have showed what information Snowden viewed or downloaded.

The government's forensic investigation is wrestling with Snowden's apparent ability to defeat safeguards established to monitor and deter people looking at information without proper permission, said the officials, who spoke on condition of anonymity because they weren't authorized to discuss the sensitive developments publicly.

Remember when Snowden claimed that, from his desk, he could run searches on anyone, and various NSA defenders like Rep. Mike Rogers scoffed at the idea and called him a liar? They claimed that any such searches would turn up in the audits. But, of course, if you can delete the log files, then those audits are meaningless.

And, if Snowden could do it, it's very, very likely that he's not the only one employed by the NSA or contracting for the NSA who knows how to cover their digital trail. And that leads to a very obvious question: sure, the NSA knows about thousands of unintentional violations and a bunch of intentional violations -- but what about all the violations it has no idea about because someone was able to bypass or delete the log files? Given that NSA employees almost certainly know that searches are audited, you'd have to imagine that nearly everyone who decided to willfully violate the law to, say, spy on a love interest (hello: LOVINT) or, perhaps, a personal enemy, would also seek ways to do so without leaving an incriminating log file. Snowden's efforts show that's possible -- meaning that it's likely others knew that as well.

And, given that it appears that top NSA brass may have been taken by surprise by this rather basic revelation (no audits are perfect, and smart folks like ones the NSA employs often know how to get around such things), it seems quite likely that the number of intentional NSA violations is much, much, much higher than is being reported, in part because the NSA itself still hasn't been able to figure out what happened.

Filed Under: abuses, audits, ed snowden, keith alexander, log files, nsa, nsa surveillance, violations

US Still Can't Figure Out What Snowden Took; What Happened To Those Perfect 'Audits'?

from the total-failure dept

Remember how the NSA's biggest defenders keep insisting that the NSA's perfect "audits" prevent abuse? Here's Keith Alexander insisting that such audits are perfect:

"The assumption is our people are just out there wheeling and dealing. Nothing could be further from the truth. We have tremendous oversight over these programmes. We can audit the actions of our people 100%, and we do that," he said.

Addressing the Black Hat convention in Las Vegas, an annual gathering for the information security industry, he gave a personal example: "I have four daughters. Can I go and intercept their emails? No. The technical limitations are in there." Should anyone in the NSA try to circumvent that, in defiance of policy, they would be held accountable, he said: "There is 100% audibility." Only 35 NSA analysts had the authority to query a database of US phone records, he said.

Yet, many months after the initial leaks, it's being reported that the US government still doesn't know what Snowden took:

More than two months after documents leaked by former contractor Edward Snowden first began appearing in the news media, the National Security Agency still doesn’t know the full extent of what he took, according to intelligence community sources, and is “overwhelmed” trying to assess the damage.

First off, this shows that the claims of 100% auditability are complete crap. If they can't tell what Snowden took so many months later, they don't have very good auditability at all. Furthermore, this raises serious questions about the NSA's data management capabilities. For all the claims that there are no "willful" or "intentional" violations by the NSA of people's privacy, it seems difficult to believe they can know that. Here's a case where they flat out know that someone got access to all sorts of documents, and over many months they still can't figure out what he got. And, yet, they expect us to believe that they can tell with perfect accuracy what their staffers are doing with the data they have access to? Seriously?

Yes, there have been thousands of "accidental" violations that were caught in audits, but it seems highly likely that there are intentional violations that the NSA just doesn't know about. If they can't track what an outside contractor is downloading, how can they even pretend that they have control over their data and information?

Filed Under: abuses, audits, ed snowden, keith alexander, leaks, nsa, nsa surveillance, violations

Facebook Agrees To Submit To Independent Privacy Audits For The Next 20 Years

from the bait-and-switch dept

The Wall Street Journal is reporting that Facebook and the FTC are finalizing a settlement agreement regarding some of Facebook's numerous past privacy flubs. The WSJ reports:

According to people familiar with the talks, the settlement would require Facebook to obtain users' consent before making "material retroactive changes" to its privacy policies. That means that Facebook must get consent to share data in a way that is different from how the user originally agreed the data could be used.

The thing is, that's already the rule. While there's no law that specifically says a company like Facebook can't retroactively change the way it uses user information, the FTC treats it as an unfair and deceptive trade practice - kind of like a bait-and-switch. You decide you're comfortable putting information like your gender and dating status on your Facebook page because Facebook promised it would only show that stuff to your friends. And then it goes and makes it all public: Bait and switch.

Since we don't have comprehensive privacy laws in the US, the only real way to hold companies like Facebook to their word when they say things like "your information is private" is to approach it from a consumer protection angle. Lying to your users about how their personal information is going to be used (or changing your mind later and not telling anyone) is unfair and deceptive, and is exactly the type of thing the FTC can address through fines.

So, making Facebook agree to get express consent before making material retroactive changes to its privacy policies is a bit like making it write "I will not chew gum in class" fifty times on the blackboard before it can go out to recess. The really interesting part of the settlement agreement is that, like Google did in the Buzz settlement, and Twitter did concerning its security, Facebook is agreeing to submit to independent privacy audits for the next twenty years.

My hope for the long term outcome of this settlement agreement is that Facebook will be more upfront and transparent about their privacy practices, and not pull the bait-and-switch move on privacy that they've become known for. Hopefully, this will in turn lead to fewer Facebook-privacy-policy-instigated Chicken-Little-style paranoia outbreaks.

Filed Under: audits, privacy
Companies: facebook

As ISPs Look To Charge Per Byte... How Accurate Are Their Meters?

from the not-very... dept

Various ISPs have been pushing for metered broadband for a while now, and we've wondered in the past who will monitor the broadband meters themselves to make sure they're accurate? After all, with things like energy meters, they're carefully regulated and audited to make sure they're accurate. But no such luck with broadband meters, for the most part. Broadband Reports points out that it looks like individuals will be on their own to check on whether or not their ISP is being honest with them concerning how much bandwidth they use.

Filed Under: accuracy, audits, metered broadband

Is The BSA Purposely Promoting Open Source Alternatives?

from the just-wondering dept

The BSA's actions often seem so short-sighted that it makes you wonder if the organization is actually working against the interests of its membership on purpose. We've detailed in the past how the BSA loves to trot out bogus stats to support its claims about software piracy rates and the supposed "damage" it does to the economy -- but a bigger issue is the practice of BSA software audits. A year and a half ago, the Associated Press exposed the BSA's auditing practices as being highly questionable, bordering on what many would consider to be outright extortion. The organization targets lots of small companies and has no mercy. So even if it was a simple misunderstanding over what a hugely complex software license allowed, the BSA still demands money. And the most stunning part? The BSA keeps the money. According to the AP piece, the BSA (unlike some other organizations) does not distribute the money it gets from fining companies for software licensing violations.

But the bigger issue is that these practices, which are productivity killers for companies, and make many small businesses feel like their software vendors are treating them like criminals, are driving companies to look for alternatives from providers who won't accuse them of infringement at the drop of a hat, and send in a bunch of auditors. Especially in the middle of an economic downturn, treating customers as if they're criminals isn't a very good strategy.

So, what is the BSA doing? Yes, that's right, it's pumping up its software audit program, sending 1,000 audit letters to companies in London, officially demanding they detail their software usage -- while unofficially acting as a tremendous advertisement for open source software, where providers don't treat their customers as if they were criminals.

Filed Under: audits, software
Companies: bsa

Who Will Monitor And Audit Broadband Metering?

from the questions,-questions dept

With all the recent talk of metered broadband, there are some questions raised: such as how will the usage actually be metered? As that report notes, broadband providers should not be allowed to meter the broadband themselves, because that represents an obvious conflict of interest -- and when it comes to things like electricity and gas pumps, regulations require third party inspectors or equipment to make sure that the meters are accurate and not subject to tampering by the company. So wouldn't broadband require the same thing?

Filed Under: audits, metered broadband

When You Treat Your Customers Like Criminals, Don't Be Surprised When They Go To Different Suppliers

from the a-simple-warning dept

An anonymous reader sent in the following story about how some large software companies are suddenly increasing the number of "software audits" they're doing of enterprise buyers. Most enterprise software contracts include license terms that allow the software provider to "audit" the buyer, to make sure they're not abusing the license. As the article notes, however, such audits usually only come at one of two times: (1) when a company threatens to switch to another vendor or (2) when the company has received info from a reliable source that the license was being abused.

However, it looks like with the economy in freefall -- and IT spending being cut back, some enterprise software companies might be thinking that another way to squeeze some money out of customers is to audit them and force a larger bill on them. Of course, this seems like a plan that could backfire in a big, big way. As noted in the article, being audited is not a pleasant experience at all. It's basically a vendor claiming that it thinks you're breaking your agreement. It's not the best way to build up a strong relationship of trust. Because of that, a sudden increase in totally unexpected and uncalled for audits may seriously damage a company's reputation and drive them to proactively look for alternatives from companies who trust them. Treating your customers like criminals is never a good idea...

Filed Under: audits, criminals, customers, software
Companies: emc

Google Sued For Patent Infringement For Keeping Track Of How Many Ads People Click On

from the thank-you-patent-system dept

It still seems rather amusing (if not twisted) that some patent system supporters are trying to convince the world Google would be harmed by an absence of software patents. Instead, it seems increasingly obvious that it would only serve to help Google, who is a regular target of questionable patent infringement lawsuits. Take the latest such case as an example. A company by the name of Web Tracking Solutions, which ironically enough, doesn't appear to have much of a web presence (if any), has sued Google for patent infringement, claiming that its patent on third-party on-line accounting systems is being violated by Google's AdSense offering.

Try to read the patent without gagging over the question of what the USPTO was thinking when it approved this as a "non-obvious" process. Basically, it describes a system for tracking ad clicks on third party websites, and then showing that information (how many clicks, etc.) for customers of an ad service. In other words, apparently the USPTO thought that the idea of actually accounting for how many ad clicks were made by an advertising service to its clients is somehow deserving of monopoly protection. I would imagine that Google would be perfectly fine losing its own patents if it meant not having to defend against these sorts of lawsuits on an all too regular basis.

Filed Under: ad clicks, audits, patents
Companies: google