> The National Security Agency (NSA) is the font of information security wisdom for the US defense and intelligence communities. But apparently, the NSA's own network security is so weak that a single administrator was able to hijack the credentials of a number of NSA employees with high-level security clearances and use them to download data from the agency's internal networks.<p>Thats a bit hyperbolic and out of touch with reality. Sure I as a sysadmin with root to most UNIX machines in my companies environment could have been able to copy the raw Oracle db files to steal company secrets, SAP databases for other juicy data that I could sell to a competitor, run a network sniffer on important login servers to steal passwords, that is how the real world works. If anyone believes that you can totally lock down access to every system on your network from your trusted sysadmins and have 100% audibility and accountability you are unfortunately living in a fantasy land. NSA or not, this really isn't something that is 100% preventable.
Snowden's escape from the NSA exposed two things: 1) <i>illegal</i> kleptocratic behaviour on part of the government 2) gross security incompetence on part of the government. The NSA has spent all its time on #1 up until now, so they're going to hype him up as much as possible so as to diminish the embarrassment from #2.<p>> He <i>wasn't</i> just a community college stooge, he was brilliant! The obscure flaw that he exploited has since been fixed, hooray too!<p>Meanwhile 'sudo su' has been criminalized as a precaution.
It's this kind of stuff that really scares me.<p>1) Some government agency builds massive computer system containing lots of information about the general public.<p>2) There are numerous obvious holes in the "massive" computer system for obvious reasons (government's haste, lack of oversight, etc).<p>3) The government's computers get hacked.<p>In my opinion, numbers two and three are inevitable when number one takes place.<p>Something similar just happened in Canada a few years ago with all of our driving information: <a href="http://www.huffingtonpost.ca/2012/11/06/service-ontario-kiosks-ontario-government_n_2081077.html" rel="nofollow">http://www.huffingtonpost.ca/2012/11/06/service-ontario-kios...</a>
Personal observation:
Internal security best practices in spy organizations are rarely 'overlooked'. It is all about trade-offs. II think the more important question is "why would the NSA have lax internal oversight on both user-privledges AND audit-logs?"<p>The answer is that it is much easier for black bag operations to be scrubbed from potential oversight when an individual holds the power to run the hidden|illegal analysis and clean their own log trails.
Spring clean time at the NSA? Apart from anything he might have done, Snowden has provided a convenient dumpster, which may be used to neatly wrap up and dispose of pesky unexplained incidents.
AKA he typed "su". Or whatever the Windows equivalent is. I do this all the time to diagnose problems and no one has ever written an article about me. :/
If they couldn't detect Snowden, it raises the question of what the Chinese government has access to. I imagine every government and hacking group in the world is doing everything they can to get access to that pile of data. Even if you trust the US government not to abuse these capabilities, what will happen when that data falls into even worse hands?
This appears to be a snowjob against Snowden, and BS -- Look at the language:<p>1. <i></i><i>Snowden impersonated NSA officials, sources say</i><i></i><p>2. <i></i><i>Edward Snowden accessed some secret national security documents by assuming the electronic identities of top NSA officials</i><i></i><p>3. <i></i><i>forensic investigation has included trying to figure out which higher level officials Snowden impersonated</i><i></i><p>4. <i></i><i>if an employee was on vacation while the on-line version of the employee was downloading a classified document, it might indicate that someone assumed the employee’s identity</i><i></i><p>5. <i></i><i>NSA has already identified several instances where Snowden borrowed someone else’s user profile to access documents</i><i></i><p>6. <i></i><i>“The damage, on a scale of 1 to 10, is a 12,” said a former intelligence official.</i><i></i><p>7. <i></i><i>The NSA declined to comment</i><i></i> <--- WTF, then who are the above sources?<p>[Edit: I wanted to add a little bit of clarity here: the language used is very vague and references things that could never possible be confirmed: sources say, "might indicate", "has identified" --- This story is like a bunch of paragraphs typed out, randomly put into a hat then shaken onto the floor into the pattern of the story. It is not a decisive, cohesive piece of information -- then it is ended saying that the NSA has no comment.<p>THe TITLE is "NSA finds Snowden hijacked officials’ logins" NSA FINDS....<p>So, if the NSA doesn't comment - and the "analysis by NBC" and the NSA declines to comment are all used -- then NOTHING in this piece can be believed.<p>Even if the entire premise is true - this is hands down the worst framing of the information, supposedly factual, one could imagine!<p>---<p>In my informed IT professional opinion, they are using this to brand him a hacker - and they make a bunch of "what if" type claims. Then they slide into a confirmed report. Then they claim the damage is off the scale (12 on a scale of 1-10)<p>This is a completely MISO built PR piece for the NSA.<p>As administrator on any system (administrator in Windows, and Root in *nix) one will have access to whatever you want.<p>Whilst at lockheed, I had admin rights to every machine and document in my realm - I would have had no need to "impersonate" any other lockheed employee...<p>The mistake here is if NSA was using the same root passwords/keys across entire tiers of machines. In that case - call it criminal negligence on the part of whomever architected that disaster.
To me this simply looks like the folks in charge are locking in their cyber crimes case against Snowden. If he's ever brought in--for whatever reason--and even if he magically avoids every charge of espionage, treason, leaking, spying, misuse of company keyboards, or whatever, they'll have the hacking angle sunk so deep that it won't matter.<p>If Bradley Manning got what he did for scary wget wizardry (making no statement about the validity of that charge or verdict) then I think Snowden can safely expect more consecutive life sentences than he has fingers and toes.
Has anyone figured out exactly how high Snowden's clearance went?<p>They're really non-specific about what he did (and play it off like he couldn't do anything), but it's coming across more & more like he really had his crap together.