

Snowden impersonated NSA officials, sources say - copx
http://investigations.nbcnews.com/_news/2013/08/29/20234171-snowden-impersonated-nsa-officials-sources-say?src=a0b

======
stcredzero
The use of the word "impersonated" stinks to high heaven. There is a big
difference between an admin logging in as someone else and someone
"impersonating" someone on TV or over the phone.

That would be like having secret documents in a drawer marked "John Smith,"
then saying that someone who opened that drawer and took some documents was
"impersonating" John Smith.

Then there's the bit about "hiring brilliant people." What's so brilliant
about someone with root access having access to everything? Nothing. That's
what root access enables. It's not a case of Snowden's brilliance. It's a case
of the NSA's administrative incompetence: there should be auditing in place.

EDIT: So there was RBAC in place. Evidently, the implementation was botched.
Amounts to the same thing: "security theater." This actually bolsters
Snowden's case that whistleblowing was justified.

~~~
AsymetricCom
There is no "root access" implied in this article. Read about RBAC to
understand this.

~~~
betterunix
It looks like the NSA is using RBAC in some form, but with a big gaping hole
that Snowden just walked right through. Log in as a user and you get "Hotel
California" security -- you cannot escape your role. Log in as an
administrator and you are not confined to any role and can just walk all over
everything.

Another possibility is that Snowden had the ability to create login
credentials and just gave himself the ability to log in as another user.

~~~
stcredzero
_> It looks like the NSA is using RBAC in some form, but with a big gaping
hole that Snowden just walked right through._

Presenting that as "impersonation" to the general public is deceptive,
regardless of whether it is intended to be or not.

~~~
AsymetricCom
deception is what Snowden used to gain roles he couldn't have otherwise. It
perfectly fits the definition of impersonation. By using someone else's
credentials he broke the separation of duty enforcement of the RBAC model,
thus he could probably escalate his privileges once he had that access. The
superior who gave out his credentials probably didn't comprehend RBAC and
thought he was just cutting out some red tape to chase down terrorists.

~~~
stcredzero
I thought that Snowden's whole point was that, "cutting out some red tape to
chase down terrorists" could also enable bad actors in the agency to do bad
things.

------
sczkid
If the NSA didn't guard against him using accounts with more clearance to
download documents he wasn't supposed to have access to, I don't think
Snowden's intelligence is what we should be worried about.

~~~
jrs235
Which I don't understand... they're claiming that we should trust them but
they aren't (or shouldn't be [hiring]) the most brilliant people. So, how many
other holes exist in their systems and oversight that are unknown because
there aren't brilliant people finding them?

~~~
rhizome
Speaking from experience, detailed auditing is covered by even the most basic
Windows Server admin course. It's not a question of brilliance.

~~~
walshemj
As is knowing what MAC and DAC are

------
defen
Wasn't the original story that he was a high school dropout, glorified
keyboard jockey who was way overpaid for what his job entailed? These guys
need to get the message straight.

~~~
john_b
No, we've always been at war with Eastasia.

~~~
yk
Of course, but unfortunately the Minitrue sometimes confuses Eastasia with
Oceania.

------
randallu
Was he brilliant? Or is that just a story -- "nobody else out of NSA's 20,000
employees is spying on people they shouldn't because they're just "great" not
"brilliant", so don't worry!"

~~~
avelis
I know the article is only to report what is said and it might be taken out of
context. However, I am disturbed by the kind of mentality around hiring
"great" and "brilliant" employee's. I see no future with that kind of
organizational thinking.

------
Ellipsis753
Why would you give someone the ability to impersonate people with higher
clearance? That seems like poor design from the start.

~~~
pilom
I'm highly skeptical of the reporting. He may have impersonated other accounts
to cover his tracks but if he had physical access to a system or the user
database of a system then he was "authorized" to see all of the data on that
system. Or they are doing IT security worse in that office than it is usually
done.

~~~
stcredzero
_> they are doing IT security worse in that office than it is usually done_

Two things that are undeniable:

1) They were doing IT security worse than the level which was actually needed

2) All the while, they were telling the world that effective mechanisms were
in place which would prevent abuses.

So they weren't doing what they were supposed to and they were deceiving the
public about it. Whether or not this was intentional is just secondary.

------
danielharan
Who wants to go work at the NSA now that it implies they merely believe you
smart, not brilliant?

------
clueless123
This is why you don't hire ethical people for jobs like these.

------
ChikkaChiChi
Aren't these stories sort of the very definition of spin propaganda?

At least Snowden hasn't been locked away in a hole for three years only to be
brought out into the public to tell everyone he's really thinks his a woman.

------
kleiba
Are they talking about su?

~~~
WestCoastJustin
I think it might be a little more complex than that, but in essence, yes. In
these types of environments you will have certificates (browser based or
otherwise), he could have _fabricated digital keys_ or stolen these from some
type of key store, and then used them on his behalf.

> _NSA Director Keith Alexander told the House Permanent Select Committee on
> Intelligence that Snowden fabricated digital keys that gave him access to
> areas way above his clearance as a low-level contractor and systems
> administrator._ [1]

[1] [http://www.businessinsider.com/edward-snowden-copied-a-
lot-o...](http://www.businessinsider.com/edward-snowden-copied-a-lot-of-nsa-
files-2013-6)

~~~
rhizome
History tells us that these agencies routinely redefine mundane concepts, so
your point depends entirely on what they mean by "digital key."

------
shortcj
Should the NSA director outsource NSAnet root?

~~~
DamnYuppie
Apparently the answer is yes...

------
pothibo
Spinning the story so if fits the "Snowden is a traitor" agenda.

>> "You hire smart people. Brilliant people get you in trouble.”

What does that even mean?

~~~
betterunix
Brilliant people see through the propaganda that the government needs to feed
its own employees. Brilliant people are harder to train to be a cog in the
machine. The NSA needs people who are just intelligent enough to solve
infrastructure / software / etc. problems, but not so smart that they start
questioning the broader goals of the organization.

The army breaks down a soldier's individuality as part of a soldier's
training. The NSA does not have that luxury (as far as I know), and Booz Allen
Hamilton certainly does not.

------
kirksan
So the guy knew how to type "su - kalexander".

------
gojomo
Well, thank goodness only one "brilliant" person has ever snuck past the NSA's
defenses. If two or more ever got in, they'd establish themselves as our
hereditary emperors in no time.

------
sliverstorm
IMO the solution is not keeping the top cryptographers, security experts, et
al. out of the agency that is supposed to protect the country from the top
cryptographers and security experts from other countries. Seems like a flawed
idea right from the start. You just need to make sure the people you hire are
actually on your side.

~~~
john_b
That may work in theory, but it's not always possible to know who's on your
side. For an especially control-obsessed agency like the NSA that wants to
know everything, this approach is completely unpalatable. Large institutions
with sensitive information, whether public or private, generally don't know or
trust their lower level employees (and a sysadmin is "lower level" in this
context). They want solutions that prevent access by default. The NSA seems to
have figured out that relying on sysadmins as a trusted party (a _contracted_
trusted party, specifically) exposed a big hole in their ability to control
things. It should have been obvious that contracting out a role that requires
an extreme amount of trust was a bad idea, but large institutions often don't
learn obvious lessons until someone makes them pay for their mistake.

~~~
sliverstorm
I don't disagree with anything you've said about holes in security. I just
think it's silly to say the solution is to hire stupider people.

------
AsymetricCom
I know I'll get downvoted for this. Please be a contributing community member
of HN and state why.

Have any of the NSA leaks told us anything we don't know? Haven't the majority
of the leaks told our foreign enemies how to avoid being tracked more than
anything? I have yet to see any serious abuse of the NSA's power. The fact
that they know that low level employees were spying on potential love
interests means that they have a system in place to track such abuses. Leaking
those kind of emails can be spun to state the opposite, when those emails are
direct evidence that such abuses are tracked and presumably punished.

I've seen articles that have said "what if they use this power to subvert
political dissidents" Well, what if they actually have checks built into this
system as they have claimed and this new information proves? Such rumor
spinning gets us nowhere as a society. Wouldn't that make Snowden a spy with
his own self interests at heart, not the interests of the American people?
Leaking piece-meal like he has is in his interests, not ours.

[http://en.wikipedia.org/wiki/2013_mass_surveillance_disclosu...](http://en.wikipedia.org/wiki/2013_mass_surveillance_disclosures#Collection_and_Analysis_Programs_or_Hardware)

Look at the scope of these systems. The fact that no abuses have come up
(locally) is quite telling, imho. When this same type of hardware is in the
hands of countries like China, we see these abuses. Is China seeing something
we don't and just not telling us? I highly doubt it.

~~~
betterunix
"Have any of the NSA leaks told us anything we don't know?"

Anything _we_ i.e. the readership of HN / Slashdot / Reddit / etc. do not
know? Of course not. That accounts for about 2% of the population of the
United States. The rest of America is still trying to get past the "but I am
not even interesting, why would the NSA spy on me?" stage of life.

"Haven't the majority of the leaks told our foreign enemies how to avoid being
tracked more than anything?"

How is that coherent with your first sentence? If the leaks did not tell us
anything we do not already know, surely they are not telling our enemies
anything they do not already know.

The reality is that foreign governments already know that the US is trying to
spy on them. Terrorists know that too. That is why foreign governments use
cryptography and other information security techniques. That is why terrorists
deliver notes by courier.

"what if they actually have checks built into this system as they have
claimed"

...this is a story about a low-level sysadmin who walked out of the very same
organization with an untold number of classified documents. What checks do you
think are built in, exactly?

"they know that low level employees were spying on potential love interests"

I think your question has been settled: no, effective checks on the NSA's
power are not in place. Obama could not care less about some low level guy's
love interests. Of course, those pesky journalists pointing out the ways he
has lied, abused Presidential authority, etc., that's another story...

~~~
AsymetricCom
I have yet to see evidence that he has lied. Keep in mind that the personal
data being mined by these systems was already recorded, legally and gathered
legally with the contracts you agreed to with these companies. I've read the
EULA and every single one of them states they will cooperate with authorities
for data requests. Without evidence of abuse, there is no lie here.

>How is that coherent with your first sentence?

you can't have it both ways. People who live in USA and are technical would
know about these systems. People external and non-technical would not
necessarily. Is that so hard to understand?

>What checks do you think are built in, exactly?

Read the article, please, before commenting.

>effective checks on the NSA's power are not in place.

There is still no evidence that your statement is true. The article shows that
effective checks are there, but like all defenses, they can be flanked. Thus
Snowden had to abuse his trust to get around them. This is just reality. There
will never be a defense that can't be flanked.

You can say that this article is proof that there is ineffective checks, but
then you have to admit that this article proves that Snowden had a ulterior
motive when he accepted his contract with NSA. You must accept that if the
goverment broke some rules to do their job (which so far I have not seen any
evidence for) then you must also accept that Snowden broke some rules to steal
these documents.

~~~
eliasmacpherson
[https://en.wikipedia.org/wiki/Parallel_construction](https://en.wikipedia.org/wiki/Parallel_construction)

[http://www.reuters.com/article/2013/08/05/us-dea-sod-
idUSBRE...](http://www.reuters.com/article/2013/08/05/us-dea-sod-
idUSBRE97409R20130805)

The question you have to ask yourself, whether you think that would have come
out without the Snowden revelations.

Evidence that the govt. broke rules to do their job (after Obama explicitly
denied the powers are abused):

[http://www.theguardian.com/world/2013/aug/21/nsa-
illegally-c...](http://www.theguardian.com/world/2013/aug/21/nsa-illegally-
collected-thousands-emails-court)

Evidence that checks are not in place:

[http://www.washingtonpost.com/blogs/the-
switch/wp/2013/08/24...](http://www.washingtonpost.com/blogs/the-
switch/wp/2013/08/24/loveint-when-nsa-officers-use-their-spying-power-on-love-
interests/)

The LOVEINT revelations only showed up when the officers volunteered the
information pre-polygraph test, which are more of a fear instrument than
verifiably accurate. That's not a check or balance. More to the point the
relevant facts emerged after Alexander categorically denied that abuses take
place.

~~~
AsymetricCom
Parallel construction is legal because the source of the data is legal, They
need to do parallel construction to hide the source of intelligence for
tactical reasons. i.e. when it was revealed that NSA had power to tap cell
phones with a warrant, criminals stopped using cell phones or used 'burners'.

The emails being grabbed beyond the warrant NSA had was a result of encryption
being used by GMail, so they had to grab emails by screenshot and keyword
only, which caused collateral collection, but the amount of collection here is
trivial.

I already addressed LOVEINT, and you're arguing against yourself. LOVEINT is a
perfect example of NSA cracking down on abuses then addressing them in open
court so that they can legally take action, or if they can't take action, that
it's known about so that bigger reforms can be made.

I just gathered these facts by reading your article. It's clear that there are
always two sides of the story, but nowhere here do I see NSA doing anything it
didn't have permission to do.

~~~
eliasmacpherson
Parallel construction is being investigated because it's probably not
legal.[1]

In the NSA's own words "If the intelligence community collects information
pursuant to a valid foreign intelligence tasking that is recognised as being
evidence of a crime, [it] can disseminate that information to law enforcement,
as appropriate." [1]

[1] [http://www.theguardian.com/world/2013/aug/06/justice-
departm...](http://www.theguardian.com/world/2013/aug/06/justice-department-
surveillance-dea)

There's two modes of operation, you seem to have the second in mind, and I am
thinking of the first:

1:

a. NSA collects American national's "information pursuant to a valid foreign
intelligence tasking". (this may be illegal, violation of fourth amendment
rights, no supreme court decision)

b. NSA tip SOD (if 1. is illegal, then it follows it's illegal to pass on)

c. SOD instruct police force to stop and search for 'traffic violation' at
time and place, obscure evidence trail. (DOJ investigating if this is illegal)

d. d:a) no evidence is found.

    
    
       d:b) evidence is found, parallel construction begins.
    

2:

a. law enforcement agency DEA/IRS/SOD asks NSA to get foreign intelligence,
because of investigation already underway.

other steps as above.

I take issue with this: "the goverment broke some rules to do their job (which
so far I have not seen any evidence for)"

The FISC found NSA overstepped their remit, broke the fourth amendment,
announced that the FISC did not have sufficient oversight, and said that the
NSA misrepresented facts repeatedly. The NSA initiate programs and depending
how they feel about it present them to the FISC after the fact. In addition
this contradicts what Obama said about there being no abuses. The only way
that Obama could not be a liar here is if he did not know about it. Is Obama
misinformed?

In your own words: "the amount of collection here is trivial.", the government
broke the law however 'trivially'. This is an admission on your part there is
evidence and that you have seen it.

You have not addressed LOVEINT. You seem to be missing how the LOVEINT stuff
came to light, it was self reported by staffers, not uncovered by the NSA.
Voluntary handover of information is not a check or a balance. Would you think
the police were doing a good job if they only dealt with cases where the
perpetrator made a statement on their own actions and turned themselves in
without an investigation? Would you consider such behaviour a crackdown by the
police? If there were sufficient checks, the NSA would know well before the
culprit volunteered the information. In addition this contradicts what
Alexander said about there being no abuses.

