
US doesn't know what Snowden took, sources say - danso
http://investigations.nbcnews.com/_news/2013/08/20/20108770-us-doesnt-know-what-snowden-took-sources-say?lite
======
skue
> Another [official] said that the NSA has a poor audit capability, which is
> frustrating efforts to complete a damage assessment.

Wow. The NSA spent untold billions building advanced tech to snoop others but
never bothered to set up proper internal controls for their own systems?

Of course this also raises the question, how can they continue to insist that
there are reasonable controls in place to prevent abuse when they can't even
determine what Snowden accessed, after he collected thousands of documents
over a span of years?

~~~
staunch
It's fundamentally nearly impossible to audit (or even control) what sysadmins
do. You can _try_ , but at the end of the day the most secure really is based
on trust and it works remarkably well. NSA must have thousands of sysadmins
(at least over the years) and we've got one that leaked things in a
significant way.

The system they use is not really broken, it's just embarrassing to them when
it's proven imperfect. The best fix would be to simply avoid doing things that
are likely to piss off ethical people like Snowden.

~~~
rwmj
This is nonsense. The whole point of the audit tools that we (Red Hat) ship is
to audit the sysadmins. This includes: auditing off machine to secure sites
under control of others; having the machine hard power-off if the audit log
cannot be written/sent; extremely fine-grained auditing of every command used,
file read/written, etc.

~~~
staunch
What does Red Hat do to prevent someone from copying backup tapes? Or
authorized users from copying data to other servers that aren't audited? Or
from databases and repositories via their own protocols?

It's rather unimpressive to claim that you can tell a customer that "your
sysadmin had authorized access to all data, so any of it could have been
copied".

~~~
stephengillie
It's the responsibility of a business's owners/executives/officers to
physically secure their building and technology. Red Hat and other groups
(like Schlage, ADT, and police departments) make tools/services you can use to
do this, but it's your responsibility to make sure all of your agents are
doing what you want them to do.

It's rather embarrassing have your IT supplier tell you "This other person who
you trusted with access to _all_ your data may have copied some or all of it
-- you should trust your employees more granularly."

~~~
staunch
Which sysadmin has access to grant other sysadmins access? What do you do
about them?

~~~
stephengillie
If it's your system, then _only you_ have access to grant access to others. If
you hire a sysadmin to build you a system, you make sure you trust that
person, and make sure that person is the _only one_ with access to grant
access. If that person lies to you and starts handing out that access, you
replace her/him. And if you can't find anyone trustworthy, then you're forced
to do this job for yourself.

------
coldcode
If they don't audit what people have access to, who knows what those people
are doing with it. That's even scarier than the NSA recording everything, that
their employees and contractors can do whatever they want with the info.

~~~
lambda
Remember, there is a difference between not auditing access to their internal
fileservers that they keep their PowerPoints on, and not auditing access to
their wiretap data.

Now, a big concern is that even if they do audit access to the wiretap data,
there are still too many people who have "legitimate" access to it, and it is
still hard to prevent a rogue sysadmin or programmer from bypassing those
controls. Merely having all of that data makes it a high value target for
attack.

~~~
skue
> Remember, there is a difference between not auditing access to their
> internal fileservers that they keep their PowerPoints on, and not auditing
> access to their wiretap data.

This will clearly be NSA's response -- whether it's true or not -- but Snowden
didn't just take random PowerPoints and internal training docs. If I'm not
mistaken, he also took copies of FISA court documents and other highly
classified materials that were never intended to be shared among NSA staff.

I truly believe the lack of audits for these materials has destroyed NSA's
credibility across the board:

1\. We know that NSA hires/contracts incredibly smart and technically talented
individuals who are experts at breaking into systems and avoiding detection.

2\. The only way for NSA to provide reasonable controls in this environment is
to create a culture of monitoring and accountability, and design all their
systems from the ground up with auditing and security in mind.

3\. But apparently they didn't do #2 (or never figured out how to enforce this
for sysadmins), because Snowden repeatedly accessed restricted and highly
classified material without an audit trail.

I don't see how they can credibly admit a Snowden sized failure but still ask
us to trust them with our personal data.

------
alan_cx
So, they don't know if anyone else has take anything either? Snowden could in
fact merely be the one they know about. And on the face of it, Snowden has
risked everything to let the world know whats going on, an act of human
patriotism, where as others unknown may well just sell the data to actual
enemies.

Maybe Snowden's error is doing the right thing as opposed to making a few
Renminbi.

------
Keyframe
It baffles me how poor PR damage control there is from NSA/government. All
they had to say was something along the lines "yeah, some of it is true, but
we can't comment any further", same with wikileaks leaks. "some", and you
can't be sure anymore what's true and what isn't from that source and end of
story, only speculations.

------
ohwp
If they didn't know they wouldn't destroy Guardians' hard disks but would take
them with them to check out the data.

~~~
sp332
I thought the Guardian destroyed their own hard drives, to prevent them from
being taken?

~~~
ohwp
[http://ca.news.yahoo.com/britain-forced-guardian-destroy-
cop...](http://ca.news.yahoo.com/britain-forced-guardian-destroy-copy-snowden-
material-222933670.html)

~~~
sp332
That's not what the Guardian says happened. _" But once it was obvious that
they would be going to law I preferred to destroy our copy rather than hand it
back to them or allow the courts to freeze our reporting."_
[http://www.theguardian.com/world/2013/aug/20/nsa-snowden-
fil...](http://www.theguardian.com/world/2013/aug/20/nsa-snowden-files-drives-
destroyed-london) Discussion
[https://news.ycombinator.com/item?id=6245419](https://news.ycombinator.com/item?id=6245419)

------
timdiggerm
>By using a “thin client” computer he remotely accessed the NSA data from his
base in Hawaii.

Oh no, not a "thin clinet"!!!

~~~
contingencies
I think Hollywood would do it more like this:

"Set the Command and control server to engineer a virus to backdoor the system
return code with a thin client."

"... oh no, not a _thin client_!"

