

NSA Employee Shared Password, Key, Classified Data with Snowden [pdf] - thezach
http://msnbcmedia.msn.com/i/MSNBC/Sections/NEWS/nsa-snowden.pdf

======
EthanHeilman
Don't worry though they have a fool-proofing auditing systems in place to
prevent abuse of the intelligence they have intercepted on US "persons".

I am always amazed at the double claim the NSA makes:

1\. That they have a great auditing system that catches abuses.

2\. That the auditing system shows that most NSA employees are honest because
they have caught very few abuses.

The two claims do not support each other. These two alternatives would be more
convincing:

1\. That the auditing system is great and thus we have caught millions of
abuses.

2\. That the auditing system is easy to bypass and therefore we have caught
very few abuses.

The very fact that Snowden could take what he did, in the way in which he did,
and that they still don't know the extent of data copied shows that their
auditing systems are easy to bypass.

~~~
codex
Not necessarily. Snowden took mainly metadata: PowerPoint presentations and
the like. I have not heard tell that he took any actual intercepts or
personally identifiable cell phone data. I suspect the latter is what is
audited.

~~~
joelrunyon
Don't worry - from what I've heard - metadata isn't all that useful anyways.
Which is why we're collecting massive amounts of in in a center in Utah.

/s

~~~
tptacek
You're playing a game with the definition of "metadata" to refute a point the
parent comment didn't make.

~~~
username
It was sarcasm.

------
minimax
Seems like it would chip away at Snowden's "whistleblower" claim if he was
actively trying to subvert the NSA's compartmentation scheme to access
documents he wasn't cleared for.

~~~
Nrsolis
THIS.

Like I've said in other comments on Snowden: he had an agenda.

This wasn't just simply a case of a guy who was involved in something he
couldn't stomach any longer; he went in with the intention of gaining access
to materials he didn't have a right to see. He took on the persona of a mole
and use the access he did have to gain the trust of people via subterfuge.
THAT is how he got these documents.

If Snowden had a foreign handler, then he would be called a "spy." The jury is
still out on whether or not that was the case.

I'm not taking anything away from the disclosures that were made about NSA
overreach, but seriously, do we hate our government so much that we are
willing to cheer when another government subverts it?

~~~
ceejayoz
If you think there's any evidence of Snowden being run as an asset of a
foreign government, you've fallen victim to baseless whisper campaigns by a
few Congressmen. There is zero evidence of this. If there were any, the
administration would be trumpeting it far and wide.

~~~
minimax
_These nations, including Russia, Venezuela, Bolivia, Nicaragua, and Ecuador
have my gratitude and respect for being the first to stand against human
rights violations carried out by the powerful rather than the powerless. By
refusing to compromise their principles in the face of intimidation, they have
earned the respect of the world._

Edward Snowden, July 2013

That is an awfully nice thing to say about the Russian establishment. It's
also nice that Snowden, a guy who seems to be pretty forthcoming with his
opinions, has not made a single comment about any of the well documented cases
of civil rights abuses in Russia.

~~~
ceejayoz
> Edward Snowden, July 2013

That's hardly evidence those governments are running him as an intelligence
asset.

> It's also nice that Snowden, a guy who seems to be pretty forthcoming with
> his opinions, has not made a single comment about any of the well documented
> cases of civil rights abuses in Russia.

There's something to be said for not wanting to get kicked out of the one
country to grant asylum. Again, hardly makes him a spy for them.

~~~
minimax
Point is he took classified intelligence documents to China, then Russia. He
never says anything bad about Russian political leaders and he occasionally
says very good things about Russian political leaders. His disclosures also
frequently seem to cause strife among NATO allies.

What you said is that if you think Snowden is a foreign agent, then "you've
fallen victim to baseless whisper campaigns." What I'm saying is that there is
a very suspicious (though not conclusive) pattern in his behavior. You don't
need any "whisper campaigns" to see it. There is plenty of room to doubt his
motivations.

~~~
ceejayoz
> Point is he took classified intelligence documents to China, then Russia.

The same is true for any embassy courier. If he's not providing the decryption
passphrases, who cares?

> His disclosures also frequently seem to cause strife among NATO allies.

That's only because "US spying on Russia/China/etc." was a given and hardly a
surprise.

~~~
Nrsolis
LOL. How about China/Russia spying on US?

What I find so hilarious about all of this is that China and Russia have been
SO AGGRESSIVE in their use of technological capability to effect a spying
apparatus in the USA and on our assets abroad.

[http://articles.latimes.com/1987-04-07/news/mn-175_1_new-
emb...](http://articles.latimes.com/1987-04-07/news/mn-175_1_new-embassy)

I think people often think that regular laws and customs are at play in the
world of state vs. state. The truth is FAR more complicated.

Statecraft is big boy rules.

------
logn
And why would we believe the NSA at this point?

~~~
crb002
I concur. The lack of detail seems bogus. Just because someone used Snowden's
keyboard to log in once, theoretically allowing Snowden to intercept the
password, doesn't mean that that Snowden actually logged the guy's password.
Seems like they want scapegoats.

~~~
Breakthrough
I came here to say "you're only as strong as your weakest link", but I have to
admit this is plausible as well. However, from a hacker perspective, what
difference does it make?

Social engineering tactics are widely known to be _very_ effective in a lot of
cases, and the NSA is no different. Snowden was accused in the past of trying
to do this [1], although from his perspective (as well as mine, for that
matter) he was probably just trying to explore the limits/boundaries of the
systems he worked with [2].

I agree regarding the lack of details, and that this is probably a false
report. That being said, I wouldn't be surprised if Snowden actually gave it a
shot - if you can find someone actually willing to just hand you their
credentials, why wouldn't you? Although I understand they're trying to make
Snowden look worse with this, I don't see that it does - if anything, it
highlights his strengths as a security researcher, while simultaneously
showing that the NSA is susceptible to the same social engineering flaws as
have been demonstrated elsewhere.

\----

[1] [http://www.nytimes.com/2013/10/11/us/cia-warning-on-
snowden-...](http://www.nytimes.com/2013/10/11/us/cia-warning-on-snowden-
in-09-said-to-slip-through-the-cracks.html)

[2]
[http://www.techdirt.com/articles/20131017/15530424921/snowde...](http://www.techdirt.com/articles/20131017/15530424921/snowdens-
negative-writeup-cia-was-whistleblowing-taught-him-why-going-through-proper-
channels-gets-punished.shtml)

------
colinbartlett
All the security tech in the world can't stop people from writing their
passwords on sticky notes and pasting them on their monitors. Or in this case,
giving them to a coworker.

Well, actually two-factor can. I wonder why a two-factor auth was not
required? That would have rendered Snowden's keylogger useless.

~~~
TheCapn
Even 2-factor is susceptible to social engineering. Years ago when I worked IT
for a company the protocol for providing a 24hr bypass to their RSA token was
to ask generic questions that any 'friend' could likely answer. We'd use this
if they were working from home and left their token at work or the other way
around.

~~~
colinbartlett
There was that guy that outsourced his own job to a developer in China so he
could surf Reddit and HN all day at work. If I recall he even FedEx'ed his
two-factor auth to the guy in China so he could VPN in and complete his work.

~~~
dublinben
I remember that guy getting caught from some OPSEC weaknesses though. He would
have been better off if the Chinese replacement was logging in though a
machine at the guy's house, so the IP address didn't give it away. You could
also use a webcam to share the RSA token, without having to physically send
it, and lose control of it.

------
fredgrott
Remember, folks we do not know NSA's internal infrastructure..

Things we do know: 1 Hawaii is a listening post and Snowden was at a listening
post yet did not have access to RAW data as systemadmin. This bodes well for
claim on access abuse of RAW data only but not abuse on implementing the
collection system for RAW data. In other words NSA can abuse through
implementation without being audited..that includes Congress as it has been
proven that NSA can lie to congress without being any move to punish NSA for
such lies and also the lack of technical backgrounds or even military
backgrounds of most congress people.

NSA is relying upon everyone forgetting that collection of raw data
implementation is the number one place for auditing of abuses.

------
wil421
Who shares their key with someone and enters their password?

If I worked somewhere that is as sensitive as the NSA I would never share my
key. I wouldnt allow someone to use my login at my work to do anything,
period.

Now its sounds like Snowden was being a spook of his own in order to gain
access to data. Hopefully these people wont be indicted.

