Perhaps The NSA Should Figure Out How To Keep Its Own Stuff Secret Before Building A Giant Database
from the just-saying... dept
Apparently, the brilliant minds at the NSA are completely bewildered as to how Ed Snowden had access to everything he had access to. They don’t think it’s possible.
Among the questions is how a contract employee at a distant NSA satellite office was able to obtain a copy of an order from the Foreign Intelligence Surveillance Court, a highly classified document that would presumably be sealed from most employees and of little use to someone in his position.
A former senior NSA official said that the number of agency officials with access to such court orders is “maybe 30 or maybe 40. Not large numbers.”
And, according to other reports, Snowden delivered much, much more to reporters:
Mr. Snowden has now turned over archives of “thousands” of documents, according to Mr. Greenwald, and “dozens” are newsworthy.
In other words, more leaks are to come. But, considering that people are already scrambling to see how one pretty junior IT guy could have access to such things, it’s making people wonder just how screwed up the NSA is if information could leak out this way — and conversely, why should we trust them with our data?
Edward Snowden sounds like a thoughtful, patriotic young man, and I’m sure glad he blew the whistle on the NSA’s surveillance programs. But the more I learned about him this afternoon, the angrier I became. Wait, him? The NSA trusted its most sensitive documents to this guy? And now, after it has just proven itself so inept at handling its own information, the agency still wants us to believe that it can securely hold on to all of our data? Oy vey!
Or, as Farhad Manjoo notes later in that same article:
The scandal isn’t just that the government is spying on us. It’s also that it’s giving guys like Snowden keys to the spying program. It suggests the worst combination of overreach and amateurishness, of power leveraged by incompetence. The Keystone Cops are listening to us all.
And, on top of that, people are pointing out that if Snowden could walk out with that much supposedly secret information, you have to wonder who else has done so as well, perhaps with much more nefarious intent, such as selling the information to a foreign power or group. Conor Friedersdorf points out that having the NSA collect so much data makes it a key target for the Chinese:
Even assuming the U.S. government never abuses this data — and there is no reason to assume that! — why isn’t the burgeoning trove more dangerous to keep than it is to foreswear? Can anyone persuasively argue that it’s virtually impossible for a foreign power to ever gain access to it? Can anyone persuasively argue that if they did gain access to years of private phone records, email, private files, and other data on millions of Americans, it wouldn’t be hugely damaging?
Think of all the things the ruling class never thought we’d find out about the War on Terrorism that we now know. Why isn’t the creation of this data trove just the latest shortsighted action by national security officials who constantly overestimate how much of what they do can be kept secret? Suggested rule of thumb: Don’t create a dataset of choice that you can’t bear to have breached.
And, yet, that’s exactly what we’ve done. If Snowden had access, then it seems only reasonable to assume that he wasn’t the only one. Meaning that plenty of others also had access to the same information, and there’s a decent chance that it’s already leaked to others. The NSA is supposed to be the best of the best, but they don’t even seem to know how to keep their secrets secret.
Filed Under: database, ed snowden, it, leaks, nsa, nsa surveillance, risks
Comments on “Perhaps The NSA Should Figure Out How To Keep Its Own Stuff Secret Before Building A Giant Database”
MILK IT MIKEY!!!
YES!!!
Whatever you do, never discuss your beliefs directly and honestly. Just pump out the FUD and the hate!!! Get those clicks, Mikey!! They are more important than the truth!!
Re: Re:
huh?
Re: Re:
Mike has discussed his beliefs directly, you just refused to take yes for an answer and he got fed up with your bullshit
Re: Re:
Discuss beliefs directly and honestly… unless you are talking religious beliefs you must be incapable of reading comprehension.
Pump out the FUD? I’m pretty certain we should be fearful and doubtful of a country that not only once (Manning) but now twice has lets tons of classified documents hemorrhage out into the public… by a couple nobodies who never had the clearance and/or need to know to even have access to these documents in the first place. There’s little reason to doubt that the ‘powers that be’ just hand out sensitive information as party favors.
Re: Re:
Why do you hate open discussion so much? What do you have to gain by trying to stop us discussing issues that are vitally important to us, hmm? Seriously, what are you trying to hide?
Re: Re:
How much is the government paying you to intentionally distract from the topic?
perhaps it should learn how to ‘snoop’ on those that mean harm to whoever, wherever, instead of making every single person in the world out to be a criminal, a terrorist, a multi-person killer, just because it’s easier than actually finding those that want to do harm and keeping track on their messages and movements!
Re: Re:
So you want them to identify the bad actors prior to collecting the data to identify the bad actors.
I’m not stating that what the NSA did was right. However, there needs to be some broad level information gathering. Every cop that stands in a public place looking for shifty motion is survailing the public. The issue is how long is this data kept and how is being gathered? what level of data is being gathered and retained.
From what I can tell, the bigger issue is PRISM than the verizon leak. Phone lugs and cellphone tower pings have never required a search warrent. Universities have been using similar anonimitized data to map traffic patterns for years. What was the extent of the contact sharing that google provided is the bigger issue.
Re: Re: Re:
metadata builds an entire communications mapping consisting of locations, connections, devices, date/times, numbers and contacts. Overlay just about anything over that metadata (google+/facebook/banking/driving etc) and you, quite literally, succeed in mapping the activities, habits, travels and writings of any individual with cellular & Internet access. It’s not hard to envision a web of connectivity that directly results in official and legal targeting of persons of interest that were derived and deemed interesting solely from metadata.
It’s not hard to make the leap that all involved have gone, far and away, above what is legal, reasonable, appropriate and, above all, expected.
Many will refrain from speaking freely henceforth. Revelation was the first domino. Revolution will be the last.
Re: Re:
That is difficult to do, as the starting point is often observed behavior. This requires people out in the community, foreign country etc. like what most people think a spy’s job is; but without the exciting the James Bond action bits.
However it is much more comfortable to sit at a computer, where lots of false positives, like angry teenagers will fill in the days reports.
Re: Re:
i’m not sure you catching on to the nub:
WE.
ALL.
ARE.
THE.
ENEMY.
IF you are a good li’l cog in the machine and keep your head down, don’t bitch about anything, and support Empire in all ways, then that doormat is not a problem… (yet)
it is the ne’er-do-wells who talk about rights, the complainers who bitch about kongresskritters, the ones who insist on following the constitution, the ones who have actually read -and believe!- the bill of rights who are ‘the enemy’…
haven’t you been following the playbook ?
diligent citizens who actually have a copy of the constitution are considered ENEMIES, The They ™ spy on and infiltrate such crazy people…
KNOWING AND INSISTING ON YOUR ‘INALIENABLE’ RIGHTS IS THE NUMBER ONE SIGN OF AN ENEMY OF THE STATE…
wake the fuck up, sheeple…
art guerrilla
aka ann archy
eof
The data might as well be porn.
No one entity should be trusted with that much data. Not the NSA, the CIA, the FBI and all the other various acronyms we label our governmental subsidiaries.
Nothing good comes from data hoarding. It’s like that one fable with the man who kept a lump of gold in his backyard for the sole purpose of just having it only to be stolen. Even though he was already rich, keeping it just for the sake of keeping it didn’t do anyone any good in the long run. It was easily stolen and although he cried about it, the gold didn’t have any purpose. It might as well have been a boulder that said “gold” on it.
It’s the same with the data. Keeping it as a “just in case” makes them sound like packrats. It doesn’t do anyone any good and if it gets stolen, things end up much worse in the long run. That miscellaneous data might as well be filled up with porn. It takes up the same amount of space and if anyone steals it, it’s just as valuable to the right buyers.
Re: The data might as well be porn.
No one entity should be trusted with that much data. Not the NSA, the CIA, the FBI and all the other various acronyms we label our governmental subsidiaries.
Not Google, not Facebook, etc.
Look, the technology is now there to amass the data. Everyone is going after it. People are pushing the boundaries of how much info they can gather and what they can do with it.
Seems to me we’re headed toward a world where organizations and companies are going to do this because they can.
And here’s the tech/libertarian dilemma. If you want to allow companies to amass data, and if you want to minimize government interference and regulations, then every person, company, country, etc. is going to amass data and do whatever the hell they want with it.
Why can’t the government collect data just like everyone else? What, you’re going to pass laws and regulations restricting what can be done with data going on the Internet? Yeah, sure.
If any entity can gain access, eventually everyone can gain access. Let’s deal with that reality instead. Essentially there are no secrets anymore.
Re: Re: The data might as well be porn.
Imagine that the NSA is a huge private company monitoring citizen data because it can.
What kinds of laws do you want passed to prevent private companies from doing such things?
Re: Re: Re: The data might as well be porn.
And imagine a company as big as Google continuing to buy up other companies and offering an ever expanding list of services so that in time all the world’s communications and data pass through it. Would you pass laws to prevent this? And if you pass such laws, who would you have enforce those laws?
Re: Re: The data might as well be porn.
I was playing a really awesome board/card game last night called infiltration, it’s a cyberpunk setting and the goal is to break into a company and steal as much “data” as you can. We were making jokes about “data” but with the way things are going cyberpunk largely has it right in that trope, data will be king.
With enough information it really stops mattering what information you acquire so long as you can relate it to what you already have. Increasing your dataset always comes with the chance of being able to find new value with in it and as computers become more powerful and we build better and better programs for finding patterns and relationships everything starts to matter.
Data mining has already started and it’s only going to lead for a rush for data and to find sources and types of data that hold undiscovered value.
It’s going to be… interesting…
Re: Re: The data might as well be porn.
Neither should collect too much – but it also depends on how much choice we have. We can avoid companies like Google (and Microsoft, and Yahoo! and…) but it’s harder to avoid Telcos/ISPs. We can’t avoid the government. So that is one parameter on how much transparency/control that the rule of law should bring.
Secondly, there’s how much damage can be done. Can Google ‘hide’ my link or sell my details to an advertiser? Ouch!
Can my ISP disconnect me? Bloody pain!
Can the government arrest me and chuck me in solitary for a year? Serious, serious pain.
Once again, the level of control should relate to the amount of potential harm.
I’m sure people know their data is being collected by both corporations and governments. The issue is how much and how transparent the process is, with which checks and balances. Corporations AND government have both got to be kept reined in from their worst excesses.
Re: Re: Re: The data might as well be porn.
I’m sure people know their data is being collected by both corporations and governments. The issue is how much and how transparent the process is, with which checks and balances. Corporations AND government have both got to be kept reined in from their worst excesses.
I doubt that data is not going to be collected. And I doubt that companies want limits placed on what they can collect and do with it, so therefore transparency would be good. Have everyone (public and private) tell us what they are collecting and what they are doing with it.
Here’s what I have been suggesting.
The NSA didn?t end our right to privacy. We gave it away for free | PandoDaily: “2. Since we?re sharing the information publicly, would the surveillance program be more acceptable, if the NSA simply built a crawler to scrub data from the public Web? Is it really a breach of privacy, when we?ve made everything public in the first place?”
My guess is that he didn’t collect the information himself, he just disseminated it. Anonymous has said for some time now that they’ve had serious information about the government they were going to expose. My guess is he either helped the people who know what they are doing to be able to breach the system, or he became disillusioned and came to their attention after the fact, and agreed to be the fall guy.
Re: Re:
My guess is that you have no idea what you are talking about.
If you have an unethical system built by the lowest bidder and cut corners anywhere you can, you are certain to leave wide-open doors for developers/maintainers to get in and take whatever they want.
You get what you pay for.
This NSA thing is going to get much worse before it gets better. I do hope things get turned around.
Hey Clapper, I hear John Steele is available.
Mixed Messages
Dear NSA,
Is this cyberwar happening or not? I mean, if we have to worry about China hacking into our power companies, gas companies, and sewer lines; putting all this data under one giant “Kick Me” sign is idiotic at best. Or is this cyber-threat not as big as you make it out to be?
Sincerely,
A network administrator with more brains then all of you.
Re: Mixed Messages
Maybe the cyberwar stuff was really about trying to keep people from learning about the NSA’s activity. A group like Anonymous would eventually find evidence of this (assuming that they hadn’t already).
Keystone Kops
It is not dawned on the darkbulbs in Washington that massive amounts of data are a target in of themselves. Hackers attack large banks and companies routinely because that is where large amounts of financial data is. The Chinese (or whomever you wish to fill) are at a minimum as smart and technically capable as the hackers are and have more resources.
Continues to support is a LIMITED HANGOUT.
Listen, guys, I WANT this Snowden to be real and for what he’s alleged to have done to at last wake up enough people to matter. And I’m not so cynical as to say it isn’t possible, BUT the darn facts keep getting in the way. And to say the least, I don’t believe the first story I hear, especially not when so close to gov’t. There are TRILLIONS at stake for the military-industrial complex and international bankers in taking over the US. That’s not left to chance by the actual “invisible hands” that not only control but OWN the markets.
So unlike you puppies who happily go barking your fool heads off down every trail that Mike throws a stick at, I’m going to look for the real dangers.
“Think of all the things the ruling class never thought we’d find out about the War on Terrorism that we now know.” — Oh, pffft! THAT is one of the worst wrong assertions. They don’t actually hide it because most people, even when facts are shown to them, will simply refuse to believe it. The ruling class has had their pet technocrats thinking on global control systems since at least when Orwell wrote “1984”, and they’ve got it pretty well figured out. One key trick is to offer “services” like Google which are really honeypots: a commercial, public, even self-funding front for intelligence agencies.
Re: Continues to support is a LIMITED HANGOUT.
Is it bad that it’s becoming harder and harder to tell the difference between the insanity that is our government and the insanity that is the king of tin foil hats?
Re: Continues to support is a LIMITED HANGOUT.
Ok, when I said last time to cut out all those bath salts you are ingesting you really need to freaking stop dude.
Every time I read one of your posts I say “Well that was the most insane thing I can possibly read” but no, give you less than a week and you have something even more incomprehensible cooked up.
Just stop, think of your friends, your family… no matter what made you turn down this dark path the future only ends if you let it!
Re: Continues to support is a LIMITED HANGOUT.
Your definition of a “real” danger is a dead grandmother not paying several hundred dollars for a pornographic film she didn’t download.
Nobody is going to take your definition of “danger” seriously.
Re: Re: Continues to support is a LIMITED HANGOUT.
Don’t ever expect a maximalist shill to come out with anything intelligent. Their labyrinthine thought processes won’t allow it because they have to bend reality itself to fit their distorted worldview.
That’s why trolls keep accusing Mike of not stating his positions clearly even though he actually has, and many times (it’s basically “be reasonable”); their idea of a “position” is total, unquestioning acceptance of our current IPR regime and a solid commitment to upward ratcheting. Anything else is classed as “not taking a position.” Amirite?
Re: Continues to support is a LIMITED HANGOUT.
And I’m not so cynical as to say it isn’t possible, BUT the darn facts keep getting in the way.
I don’t think that word, “facts”, means what you think it means.
Who has access
Who has access to stuff? I’m currently working on a project to audit and secure access to thousands of servers at the bank I work for. What I find daily is frightening.
“No, this developer doesn’t need root access to a group of servers that controls some business critical production application. He should only have access to the develoment environment.”
“No, these three application support guys do not need to be able to access a few hundred servers – the app they support is only on this dozen over here.”
“No, this DBA doesn’t need to be able to do anything he wants to every Oracle database in the domain. He only runs this database over there.”
Every organization I’ve worked with has the same problems. Of course the government is the same way – if not worse. Proper access control takes time, planning, effort, and money. In a business context, people don’t want to pay for that, and don’t want to deal with the hassle of figuring out and investigating what really is needed, and its always a fight to take away access that someone already has even if they don’t need it. In a government context, I’ll bet its more about just getting things to work, and then fights about who gets control over this bit of turf. So much of the monitoring infrastructure we’re talking about was thrown together quickly, down by multiple contractors, and if my experience in the private sector is similar – competing, conflicting, and changing requirements. Not an ideal situation for proper controls to be put in place.
Re: Who has access
Well, I can vouch for your experience in the private sector. Creating a separate network on one system that is needed to be serviced by outside personnel is both time intensive and can be elaborate. Following ITIL procedures, proper documentation, and the rest of the bureaucracy is both a drain on personnel and resources, but for the ?NSA?. I would hope that shortcuts would be non existent, considering most public companies that take this stuff seriously really do minimize any to the best efforts.
What about "Need to Know?"
In all my years as a Classified Material Custodian and as a Security Manager in the Navy it was pounded into me that having a particular clearance level does not give you access to material classified at that level, i.e. having a Top Secret clearance does not give you access to ANY Top Secret material. You must also have a NEED TO KNOW, as defined by whoever is authorized to grant access. Both Snowdon and Bradley Manning clearly had access to huge volumes of material through networked infrastructure that they had NO Need to Know. Why in the world would a PFC in the Army have access to terabytes of classified State Department documents? Both of these instances clearly represent a complete breakdown in the military’s ability to enforce THEIR OWN RULES regarding access based on Need to Know. There is a huge oversight issue in the design and construction of information systems that clearly cannot ensure proper segregation of data with access based on proper criteria.
Let's back up...
And, on top of that, people are pointing out that if Snowden could walk out with that much supposedly secret information, you have to wonder who else has done so as well, perhaps with much more nefarious intent, such as selling the information to a foreign power or group. Conor Friedersdorf points out that having the NSA collect so much data makes it a key target for the Chinese:
Didn’t we learn from the Stratfor emails that we’re already selling American secrets to others?
We sold secrets to Turkey and other countries based on what Stratfor did for money. So you mean to tell me that we should worry about the Chinese?
I think we should worry more about the profit motive in America.
Re: Let's back up...
i would think it certain that the info Manning gave to the puiblic was already in the hands of all the governments of the major countries of the world. With hundreds of thousands of soldiers having access to the stuff it was probably sold abroad many times. The reason for the fury is just embarrassment that the public got to see the stuff.
The Chinese don't have to spy on the US
Why would the Chinese (or Russians, or [insert adversarial nation of choice) go to the bother and expense to spy on the US? It’s far more efficient to let the US government do it, and then simply download it from the NAS!
Perhaps the NSA should stop contracting out this stuff to private companies
That a private contractor could do all that Snowden did shows just how awful the NSA’s security is. Forget worrying about big government, now we have to worry about big corporations with government contracts spying on us to!
"Low Level" or "Junior" IT Professionals aren't normally paid $200k salary
Everyone keeps calling him a “Low Level” or “Junior” IT Professional. He made over $200k per year. That is not the normal pay range for anything “Low Level” or “Junior”. It really looks like either he was grossly overpaid or someone is trying to make him look less important than his salary indicates.
Re: "Low Level" or "Junior" IT Professionals aren't normally paid $200k salary
But he was a contractor, so… /shrugs
Re: "Low Level" or "Junior" IT Professionals aren't normally paid $200k salary
I’m not sure where the 200k was derived from but I believe that B&A, his now former employer, said he was paid approximately 120k. Perhaps that 120 was fluffed up with vacation, health&dental, 401K, training, comfy chair on the total compensation package page. You know the one, the one that says “we know your gross is X but we actually pay Y for you”.
Re: Re: "Low Level" or "Junior" IT Professionals aren't normally paid $200k salary
I don’t know his pay situation, but it’s possible that it’s similar to mine. My official salary is x. This is what I’m guaranteed to make (excluding the value of things like insurance, etc.)
However, my actual takehome is quite a bit larger, as every quarter the company issues a bonus to all employees. The amount varies a bit from quarter to quarter (it’s based of company profitability), but is reliable enough to estimate in advance. This amount is y, and is substantial.
If someone asks what I make, the honest answer is “x+y”. If someone asks my employer what I make, they’ll report jsut my salary, the much lower “x”.
Re: Re: Re: "Low Level" or "Junior" IT Professionals aren't normally paid $200k salary
Same situation, I live and work here in Hawaii as a contractor, but his story about his pay doesn’t add up. Also, if he was getting all this money, why is he living in the ghetto section of Hawaii. I get that it’s close to his work, but so is where I live, with a family, making less than both what he and the company claim. Doesn’t quite add up.
Not to mention, young contractor, not much experience, only a GED from what I’ve seen. Where are his certifications and years of experience that would demand such a paycheck. Guys who handle much more important network positions in DC only make about 130K.
Re: Re: Re:2 "Low Level" or "Junior" IT Professionals aren't normally paid $200k salary
Another thing that has been raised in a number of articles is why Hong Kong (China is not known for its support of personal freedoms) and why blow all of your money staying in an expensive hotel when there are much cheaper ones available.
I’ve half-kiddingly suggested that perhaps he’s been working for China. And given the timing of his disclosures (when Obama was meeting with Xi), it might have been good leverage for China in the talks.
Re: "Low Level" or "Junior" IT Professionals aren't normally paid $200k salary
except the security clearance makes it a more responsible job- some of the pay is due to the requirement to STFU.
So, Glenn Greenwald is writing about classified information that was leaked. I assume Salon.com will now receive the same treatment as Wikileaks.
Re: Re:
So, Glenn Greenwald is writing about classified information that was leaked. I assume Salon.com will now receive the same treatment as Wikileaks.
Glenn Greenwald left Salon a while back. He now writes for The Guardian.
Re: Re: Re:
So, when will he receive the Assange/Wikileaks treatment?
A government agency that routinely spies on thousands of people is surprised that someone spied on them. There’s a joke in there someplace…
Really?
The folks with a TS/SCI clearance, especially the network folks, have access. In such cases as this do we REALLY want to encourage the government, who have been proven to be untrustworthy, to purge their ranks of potential whistle blowers?
Re: Really?
wrong- clearance does not grant access. What a security clearance does is mean you don’t need to sign an NDA for each and every new piece of classified info you need to access- Need to Know overrules cleaance. ( both ways, actually- you can have the appropriate security clearance and still be refused access if you have no business knowing the information, just like if you have a provable need to know some information, you can get it w/o security clearance- you just need to sign an NDA.
The NSA is supposed to be the best of the best, but they don’t even seem to know how to keep their secrets secret.
Which gives some idea of just how skilled the less than best of the best organizations might be.
Secrecy protocols
I had a similar reaction to the Manning case: if they want to prosecute him, first, at very least, they should publicly excoriate and fire the nitwit(s) who came up with security protocols that gave an Army PFC, yes a PFC with a high security clearance, but still, access to diplomatic cables.
The fact that Snowden in theory was not supposed to have access to things he accessed (or so they say), makes the NSA maintenance of broad records of Americans activities all the more troubling. Even allowing, for the sake of argument, that standard NSA procedures do not allow access to any data about an identifiable American citizen, whether raw or the result of algorithmic analysis, without a FISA warrant, and even presuming (again for the sake of argument) that all FISA judges are honorable men with a deep commitment to the American constitutional order and the plain meaning of the 4th Amendment, how do we know that rogue agents (or maybe “rogue agents” with orders from Washington, cf. the Cincinnati IRS office) can’t and won’t access the data in violation of standard NSA procedures?
security matters bro