Hacker News new | comments | show | ask | jobs | submit login
Bruce Schneier: China and Russia Almost Definitely Have the Snowden Docs (wired.com)
120 points by mndtzn on June 20, 2015 | hide | past | web | favorite | 52 comments

Bruce Schneier is falling into the trap of saying since computer security is hard, the NSA has certainly been compromised and we can assume these docs have been out there for a while.

Yes, securing the endpoint is hard, especially given the non-hardened OS and applications we mostly use. However, you can't extrapolate from that to say with certainty what has and hasn't been exposed via security flaws.

The USSR was much more successful at espionage than the US was, and they took a low-tech approach to it. For decades, they developed contacts within the govt, gave them money, and had documents handed to them by authorized insiders.

Let's not assume computer exploitation is the only culprit. History has shown a variety of techniques, even very low-tech ones, have been employed for espionage and it's impossible as an outsider to determine how much has been taken, by whom, and by what means.

> > The vulnerability is not Snowden; it’s everyone who has access to the files.

> > First, the journalists working with the documents.

> Bruce Schneier is falling into the trap of saying since computer security is hard, the NSA has certainly been compromised and we can assume these docs have been out there for a while.

The NSA has been compromised. By Snowden. There's no assumption there, that's fact. Now, access to the documents not longer just means having NSA access (or a complicit person with access) or hacking the NSA, it includes access to any system or person who has access to all the files, which are no longer restricted to NSA servers. It's no longer about what the NSA's security practices are.

Yeah but the point is that the NSA is most likely much easier to compromise than the Snowden documents.

Wait... you believe that the NSA is easier to compromise than the computers of reporters from multiple international news agencies with various levels of computer security policies and knowledge?

I'll let Schneier answer that, in case you didn't read the article:

> The open question is which countries have sophisticated enough cyberespionage operations to mount a successful attack against one of the journalists or against the intelligence agencies themselves. And while I have my own mental list, the truth is that I don’t know. But certainly Russia and China are on the list, and it’s just as certain they didn’t have to wait for Snowden to get access to the files.

That doesn't mean he thinks it's easier to hack the NSA, just that he thinks it already was, so it doesn't matter.

Snowden didn't create any flaws in NSA's internal systems (or at least, none that anyone's described publicly), but his actions certainly demonstrate that they were there. All Schneier is saying is that someone else could have taken advantage of the same flaws -- and that he thinks, given the givens, that someone else almost certainly did. He's not the only one who thinks the odds stack up like that...

Spying is a good thing. Real information keeps people from second guessing each other and prevents cold conflicts from becoming hot.

Spying is a wash - what you're saying is true, but it's only half the equation. Sometimes that second guessing is what keeps the conflict from becoming hot. Spying can compromise a country's defense to the extent another country feels comfortable attacking. Also, if a weaker country can maintain the facade of strength it's less likely to be attacked.

The most obvious example is when one country manages to uncover another country's nuclear assets to such a high degree of confidence it feels (rightly or wrongly) it can make a 100% successful first strike.

You need mutual spying, but if you have that, then the week country will know that it is 100% vulnerable to first strike, and surrender before it comes to that.

I'm not so sure you can count on a country to act in rational self-interest. Individual people aren't so good at that, and collectives can be less rational than individuals.

That never, ever happens.

How would you know that?

Give me one historical example.

You want me to give an example of something I'm claiming we don't know?

Surely if this is possible you could find one example in all of human history.

If I had better knowledge of military history, maybe. But I find it extremely unlikely that there has never been a situation where somebody knew some secret about their enemy that encouraged them into a concession instead of resistance. I mean, it happens in legal situations every day.

So the trouble is only when your voters get the information necessary to vote rationally?

We will know some parts of truth but probably in one or two decades from now (like for the Cambridge Five).


Assuming this is true "we have now seen our agents and assets being targeted”, there is another explanation why now - other than foreign agencies getting the documents Snowden took.

The explanation is called protecting intelligence sources: Russia, China - or whoever had their spies inside NSA long before, can now act on the intelligence they got without triggering counterintelligence alarms.

Even then, targeting spies is counterproductive.

The spy you know about is much less dangerous than spy that you don't know about.

If they hacked the NSA, I'd suspect most spies are known rather than unknown. There's a curious event where Russia expelled 30 UK diplomats from Moscow - and none of them were intelligence operatives (and this was no coincidence as 1/3rd of the staff were intelligence operatives) - it was just to send a message: "we know who your spies are"[1].

Edit: corrected number of diplomats & added citation

1. http://www.globalresearch.ca/five-reasons-the-mi6-story-is-a...

This is uninteresting. It is fully expected that foreign countries know about (and extensively surveil) your "official cover" embassy staff intelligence officers. We tailed everyone who stepped out of the Soviet embassy for most of the Cold War.

Those people are administrators. Your actual covert operatives will never interact with the embassy in a detectable/obvious way.

That theory is unlikely to gain traction among the public at this point in time. Even with the much-publicised example of an intelligence community insider exfiltrating data and then traveling to both China and Russia, it's considered uncouth and irresponsible to suggest that those nations have any intelligence assets in the U.S.

NSA adopted two man rule for system administration only after Snowden leaks. Before Snowden anyone with similar access as Snowden could have copied the same data.

What is the probability that at least one guy with same access as Snowden spied for China or Russia? I would say close to 1.0.

"%50 of former employees admit to stealing confidential company data" [1]

Even with oaths and allegiences, the probability that Snowden is the only one to take advantage of the lax security in the NSA is 0.

[1] http://www.symantec.com/about/news/release/article.jsp?prid=...

The NSA is not a corporation. They put exponentially more care in vetting before trusting with top secret intelligence access.

And much good it did for preventing the Snowden leak. The false sense of security instilled by confidence like yours likely hindered implementation of common-sense safeguards, such as the two man rule and more generally any functional oversight of any kind.

In my experience, the NSA performs its own security clearance checking and does not use the OPM for this function, but, in any case where OPM did perform a background check, that background check provided China with far more compromising information than China otherwise would have had.

That people place such faith in vetting in the first place is a huge problem. Furthermore, background checking performed by most of the rest of the US government has actually been a huge source of actionable intelligence for our enemies.

In my opinion, it is not possible for an organization the size of the NSA to keep its secrets. It's, what, 1000x larger than the Manhattan project? And, would you say that James Clapper's intellect was in the same ballpark as those of Leslie Groves and Robert Oppenheimer?

In fact, when confronted with opportunities to avoid mistakes, the US government's reflexive response is compulsion toward secrecy so as to avoid reform. IE, so much of this secrecy is motivated by desire to escape oversight, rather than to provide our nation actual advantage over rivals. If the latter were our goal, oversight and strictly limiting classification to the most sensitive subset of weapons research and ongoing military operations would be a road to it. Instead, such approaches are termed dangerous and even intellectual property normalization treaty negotiations are treated as military secrets in order to protect the power of entrenched political influences.

When secrecy is so rampant that it makes it impossible for us to keep secrets, you might ask why we have so much fucking secrecy.

Snowden was someone with access who acted on what he thought was in the best interest of Americans. Whether it was or wasn't is debatable. But to assume foreign spies exist in the NSA, and would risk treason for foreign interest because NSA screening missed Snowden, is a big leap in logic.

Of course no one can say foreign spies inside the NSA or access to their top secret files is impossible, I'm simply suggesting it's safer to assume this is not likely, and comparing the NSA to civilian corporations in this regard is unreasonable.

What is the probability of that guy being Snowden himself?

The original link may redirect, but a permanent copy of the article is now available at https://archive.is/zwPVW , also cached at http://webcache.googleusercontent.com/search?q=cache:Sx7GYBF...

His points are: * China and Russia probably ALREADY had access to that material BEFORE Snowden, based on the NSA's poor internal security. * Now that journalists have the remaining unpublished Snowden documents, any nation-state can hack the journalists.

Some people still can't reach it, but Google's cached version is here - http://webcache.googleusercontent.com/search?q=cache:Sx7GYBF...

I once challenged Glenn Greenwald as to how he could be confident his copy of the documents hadn't been hacked. His answer wasn't terribly convincing.

That said, it's also possible he got lucky. He lives in a fairly isolated farmhouse with a lot of dogs, so maybe it really is hard to do a black bag operation on him. And I'm not sure how even a nation state could do a purely internet-based attack on an air-gapped computer.

That said, Laura Poitras in bustling Berlin or an entire major newspaper might be an easier target ...

> That said, Laura Poitras in bustling Berlin or an entire major newspaper might be an easier target ...

That incident where British government officials destroyed the laptop containing The Guardian's copy of the documents makes more sense in light of this.

Greenwald's home got burgled, with just a laptop stolen, when he was in Hong Kong.

There's evidence that US government counter-intelligence and information security are very poor: Snowden, Manning, the recent break-in at OPM, etc. In past generations, nuclear plans were stolen, the heads of both FBI and CIA counter-intelligence have been moles, a Navy sailor kept the Soviets updated on the locations of US submarines, etc. Here's a list I came across recently: http://www.wearethemighty.com/american-spies-military-secret...

It's hard to know how bad or good the US's security is, because most intelligence operations are secret and I don't know enough about the field to have a standard by which to judge it. Maybe these things are the norm for most governments.

I would not be surprised if other governments already knew much of what Snowden made public. Some secrecy clearly is necessary for governments but how often does "secret" merely mean "unknown to the public" (but already known to enemies)?

> information security are very poor

this is necessarily the case. people are the biggest flaw followed by technology itself which is expected to be cheap and easy.

The heads of the FBI/CIA I know they both had senior officers go bad but do you have any proof of this?

Just to be clear, it wasn't the heads of the whole FBI and CIA; it was the heads of their counterintelligence divisions (or maybe their Soviet counterintelligence divisions - I don't know the org charts precisely), Aldrich Ames (CIA) and Robert Hanssen (FBI). Just do a search; there were arrests, trials, etc. - it is very well documented.

Why is secrecy clearly necessary for governments? You may be right, but it's far from clear.

Well, it offers a huge military advantage, so in the interests of waging war, it is very useful, if not necessary.

But I think the most common use of it is probably the fact that politics is a game of hypocrisy, and you can't play unfairly if you don't get to keep secrets.

(had to read this article via a proxy, because of a redirect loop - anyone else seeing this? I'm in the UK.)

EDIT: and it was worth it, excellent article.

I got a partially rendered page before, but it is not working anymore.

Same here. Here's the Google cache copy:


The objective content of this article is no better than the one it criticizes. Its claims all boil down to speculation about events for which there is no evidence of any kind.

I know I'm late to the conversation, but Bruce Schneier posted an update on the Lawfare website: http://www.lawfareblog.com/do-russians-and-chinese-have-snow...


Works without the ending slash, nothing to do with incognito mode.

To suggest all foreign superpowers have access to the NSA goods because "security is hard", and "Snowden was able to wander through the NSA’s networks with impunity", is a weak conjecture at best.

I think Snowden/Wikileaks/EFF/ioerror etc are probably much better at endpoint(ie the computers used to access the documents) security than most governments. AFAIK they are not using Windows, all the hacks the Schneier mentions are on Windows systems, rather Tails Linux and other such tools.

There is alot of spin when it comes to security.

It's pure speculation from Schneier. Also Interesting that Schneier has not mentioned this article on his twitter.

would be interesting to hear Snowden's take on this

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact