1,000 Sys Admins Can Copy Any NSA Document Without Anyone Knowing About It; Think Only Snowden Did?

from the perfect-audits? dept

Following on our earlier story about how Ed Snowden covered his tracks -- showing that the NSA's vaunted "auditability" of its systems is a complete joke -- comes the news that there are approximately one thousand sys admins with Snowden's authority, who can basically go through any document without any trace. Even more incredible: they can "appear as" anyone else when doing things on the system. In other words if a sys admin wanted to frame an NSA analyst, it sounds like that would be quite easy. The report also notes that, for all of the talk about how great the NSA is at cybersecurity, and the fact that part of the point of CISPA was to try to have the NSA in charge of the nation's cybersecurity, the agency does a piss poor job protecting itself:
“It’s 2013 and the NSA is stuck in 2003 technology,” said an intelligence official.

Jason Healey, a former cyber-security official in the Bush Administration, said the Defense Department and the NSA have “frittered away years” trying to catch up to the security technology and practices used in private industry. “The DoD and especially NSA are known for awesome cyber security, but this seems somewhat misplaced,” said Healey, now a cyber expert at the Atlantic Council. “They are great at some sophisticated tasks but oddly bad at many of the simplest.”
That last sentence really means: "they are great at hacking stuff, but crap at protecting stuff."

As for the thousand or so sys admins on staff, it appears that they have no restrictions or tracking of what they do:
As a system administrator, Snowden was allowed to look at any file he wanted, and his actions were largely unaudited. “At certain levels, you are the audit,” said an intelligence official.

He was also able to access NSAnet, the agency’s intranet, without leaving any signature, said a person briefed on the postmortem of Snowden’s theft. He was essentially a “ghost user,” said the source, making it difficult to trace when he signed on or what files he accessed.

If he wanted, he would even have been able to pose as any other user with access to NSAnet, said the source.
Remember how the NSA at one point said that there were only 35 analysts who could run certain queries? And that all of the queries were tracked and audited. It seems they left out the thousand or so sys admins who could do whatever they wanted with no tracking at all. Does anyone honestly think that none of those sys admins ever was involved in a "LOVINT" situation? Or something much worse?

Oh, and people will remember that the NSA's new plan to "fix" this it to get rid of about 900 of those sys admins, rather than fix the actual problem. And, of course, if you know anything about how this stuff works, you'd know that the NSA probably can't actually automate away 90% of what its sys admins do.

So we're left with an agency that collects a ridiculous amount of info, and has around 1,000 employees (who are mostly actually employed by outside contractors) who can look through anything with no tracking, leaving no trace, and we're told that the data isn't abused. Really? Do Keith Alexander, James Clapper, President Obama, Dianne Feinstein and Mike Rogers really believe that none of those 1,000 sys admins have ever abused the system? And, do they believe that none of the people whom those thousand sys admins are friends with haven't had their friend "check out" information on someone else? Hell, imagine you were someone at the NSA who understood all of this already. If you wanted to abuse the system, why not befriend a sys admin and let him or her do the dirty work for you -- knowing that there would be no further trace?

Basically, it seems clear that the NSA has simply no idea how many abuses there were, and there are a very large number of people who had astounding levels of access and absolutely no controls or way to trace what they were doing.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Anonymous Coward, Aug 26th, 2013 @ 12:54pm

    They gave 1000 people system administration privileges? Wow as a system administrator you can pretty much do as you please then remove any trace you were ever there. Also yes you can't automate system admins. Its way better to have trustworthy people then a computer which can be hacked and then there's completely no way to know.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 26th, 2013 @ 12:58pm

    Ah, the geeks are in control...

    This reminds me of all the congress critters belittling the "geeks" and "nerds" - and shunning them because they didn't understand computers.

    And here we are - finding out that the geeks and nerds are the ones basically running things that Congress is supposedly overseeing.

    So...who runs this country again? When will they start listening to the very people they're putting in charge?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 26th, 2013 @ 1:13pm

    wow. i hope somehow, somewhere, they put a RADIUS server for authentication from the Internet...

    Or - better- forgot to include the magic cable to get to the internet from . . .

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 26th, 2013 @ 1:26pm

    How many of those 1000 sys admins are paid to spy for other governments?

    Here's a bigger question, with 1,000 people who can do whatever they want and get their hands on almost any data they want it sounds like, how many of them have been bribed to work for foreign governments?

    If they can access this information so easily like Snowden could, and they can cover up their tracks so easily like Snowden did, that makes ALL of them a very tempting target for a foreign government to bribe.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Baldaur Regis (profile), Aug 26th, 2013 @ 1:29pm

    Soooo...

    NSA internal security is provided by Big Bird and Oscar then?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 26th, 2013 @ 1:30pm

    Insider Threat

    Okay, so it seems that at least the bulk of corporate world gives lip service, at minimum, to insider threat...

    I kind of doubt that even the NSA completely missed this one...
    I'm afraid to ask... how stupid does the NSA believe that the general public is?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Aug 26th, 2013 @ 2:12pm

      Re: Insider Threat

      Let me put it this way, I've been awake and trolling the internet on and off for the better part of 12 hours, and by far the biggest story I've seen today is Miley Cyrus at the VMAs.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous, Aug 26th, 2013 @ 4:35pm

        Re: Re: Insider Threat

        LOL! I just posted a line from a Miley song a few seconds before reading your post!
        MILEY ROCKS!

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    slinkySlim, Aug 26th, 2013 @ 1:36pm

    Got Root?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anon? Hah!, Aug 26th, 2013 @ 1:38pm

    Disgruntled admins..

    Now that 900 face the axe (gone already or given notice?) I'd bet the morale of the remaining 100 is quite low, with a hefty blend of paranoia.

    I bet things go _much_ smoother from here on in..

    Oh, and 900 people are probably a little pissed at going down with the Snowden ship..

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Wally (profile), Aug 26th, 2013 @ 1:55pm

      Re: Disgruntled admins..

      I wouldn't say I would worry about disgruntled admins as much as the fact that they still have access after they've been fired. What's more is that they've got only 100 people to remove the security credentials on what is likely thousands of computers.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        PaulT (profile), Aug 28th, 2013 @ 6:55am

        Re: Re: Disgruntled admins..

        I'd hope an organisation the size of the NSA has some kind of centralised security management and other restrictions. If they're manually setting the access credentials for each individual machine, they're asking for trouble and you might as well assume that the data's compromised anyway.

        The more realistic question is how many of those admins left themselves backdoors or other ways of accessing data that nobody else knows about. I'll bet there's several, and now they lack the manpower to audit machines for anything not detectable by standard intrusion detection and auditing procedures.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    out_of_the_blue, Aug 26th, 2013 @ 1:51pm

    Dang, I don't have a snarky comment based on a logic fallacy for this one.

    I guess you are right Mikey. Great Job exposing this for the people!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 26th, 2013 @ 1:56pm

    AH- the King's new cloths

    At least now we know how big his dick is and how often he gets laid!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 26th, 2013 @ 2:22pm

    ' su jclapper'
    ' cd /'
    ' cp -ar * /mnt/usb0'

    The space if front is important, so command don't get logged.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Prask, Aug 26th, 2013 @ 2:40pm

    Re: Only Snowden?

    Q1: Is it possible to gather information using NSA systems on women?
    Q2: Are there any men employed as sysadmins?

    If (Q1 and Q2) = true then the systems *have* been abused. Bad security cannot beat evolutionary imperatives.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anon-Y-Mouse, Aug 27th, 2013 @ 3:08pm

      Re: Re: Only Snowden?

      Q1: Is it possible to gather information using NSA systems on women?
      Q2: Are there any men employed as sysadmins?

      If (Q1 and Q2) = true then the systems *have* been abused. Bad security cannot beat evolutionary imperatives.

      No, evolutionary imperatives will always beat the best security.

      The computer is your friend. Trust in the computer.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 26th, 2013 @ 3:23pm

    How many of those 1000 sysadmins are working for the NSA?

    And how many of them are working for the Russians, the Chinese, the Japanese, the British, the Germans...or worse, the Mafia, the Zetas, etc.?

    Surely nobody of the slightest intelligence is going to suggest that 1000 out of 1000 are absolutely loyal. The odds against that are staggering. Not when Snowden has provided a demonstration proof that -- with just a little care -- it's possible to stroll out of the NSA with a staggering amount of information. Surely someone who only needs to take a little information...but just the right information...and sell it to some very interested buyers who are willing to pay top dollar/yen/euro/rupee for it, will have no trouble doing so.

    Another way of looking at it: the NSA is very busy building an information repository for lots of other people besides the United States government.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    The Original Anonymous Coward (profile), Aug 26th, 2013 @ 3:29pm

    Have those 1000 sysadmins actually been terminated?

    If so, here are a few questions:

    1 - Did they leave any back doors into the systems?
    2 - Did they create some other accounts for later use?
    3 - Did they already dump all the files they could find into a safe place?
    4 - Who are they blackmailing already?

    It sounds like a lot of these servers are UNIX or Linux based and the folks that administer those systems tend to be very creative.

    ;-)

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Rikuo (profile), Aug 26th, 2013 @ 4:36pm

      Re: Have those 1000 sysadmins actually been terminated?

      A sysadmin or a group of sysadmins who know they are facing the axe but then don't threaten to wreck the IT systems if they're fired don't deserve the title. No matter what your organization, NEVER piss off your sysadmins. Since it's been proven here that any of them can leave no trace, then there really is nothing stopping them from going "Fuck this, there goes my salary, might as well get myself set for life and sell a few secrets to the Chinese or Russians or whoever".

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        The Original Anonymous Coward (profile), Aug 26th, 2013 @ 6:04pm

        Re: Re: Have those 1000 sysadmins actually been terminated?

        Maybe they've all been "terminated", as in the Arnold Schwarzenegger type of termination.

        People should start checking the missing persons reports for those cities hosting major NSA installations.

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        TheLastCzarnian (profile), Aug 27th, 2013 @ 6:17am

        Re: Re: Have those 1000 sysadmins actually been terminated?

        Real Sysadmins don't spend months or years creating a beautiful, functional system just to tear it down at the threat of termination. It would be like cutting the left pinky-finger off of your child. It's sick.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          Josh in CharlotteNC (profile), Aug 27th, 2013 @ 7:15am

          Re: Re: Re: Have those 1000 sysadmins actually been terminated?

          a beautiful, functional system

          That's funny.

          I don't think the NSA's system fits as either of those adjectives.

           

          reply to this | link to this | view in chronology ]

  •  
    icon
    That Anonymous Coward (profile), Aug 26th, 2013 @ 3:56pm

    If this wasn't the NSA, this would be hysterical.
    Sadly, this is the NSA and I don't know about anyone else but I feel fuckloads less safe seeing how inept and incompetent they are.
    I'm terrified that Congresscritters and others actually think these people are the best of the best.

    This is what happened with every "good" idea we put into motion, they attach wads of cash to their corporate sponsors and it goes to shit and needs more and more money.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 26th, 2013 @ 4:23pm

    Another 900 Snowdens ready to go wild

    They don't know what Snowden took and now they're firing another 900 just like him. What are they leaving with?

    OK, I'm not paranoid but.... I think everyone needs to make themselves as small a target as possible. Start encrypting phone calls, emails, text messages, browsing. Stop storing files on Dropbox, in Gmail, in iCloud, etc., and stash everything in a Cloudlocker (www.cloudlocker.it) which stays in your house where they still need a warrant to look inside.

    What a shame it's come to this, but we have to protect ourselves from the people who are supposed to protect us.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 26th, 2013 @ 6:10pm

    Basically, it seems clear that the NSA has simply no idea how many abuses there were, and there are a very large number of people who had astounding levels of access and absolutely no controls or way to trace what they were doing.

    And now 900 of them are going to get laid off.
    I've heard of big businesses being brought to their knees at the hands of one disgruntled sysadmin. One.
    They fired. Nine. Hundred. Sysadmins.
    Sysadmins who were in charge of an enormous database of potentially dangerous information, all locked behind paper-thin security.

    This cannot possibly end well for the NSA.
    They're not going to be able to drum up much sympathy when the other shoe drops, either. With the public in a state of sustained outrage, and congressmen clamoring for them to be defunded, they may well be shut down altogether in the wake of whatever disaster befalls them.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 26th, 2013 @ 6:25pm

    Guesses about NSA tech

    As tech-heavy as they are, the NSA is a very large and (in tech terms) relatively old organization, and a government one at that. From those characteristics, we can extrapolate from similar (but not secret) organizations to make certain guesses. For example, they've probably had an attempted upgrade turn into a major screwup with huge cost overruns and lots of management ass-covering. It happens in the military, it happens in government, it happens in private industry.

    We can also guess that they have lots of legacy tech to maintain. Specialized old hardware and software that has to be kept in place for specific intelligence-collecting missions, but that doesn't integrate well with more up-to-date systems. Keeping these systems working would require specialized employees with significant system privileges.

    We can also guess that their bureaucratic structure and security requirements will sometimes delay new technology. If, for example, they were using a custom in-house linux fork, then any improvements and bugfixes have to jump through the obvious hoops.

    That's all straightforward, and can be streamlined. But it also means that those old systems -- the ones that mostly work, don't seem like a big risk, and would be a huge effort to replace, may be continued nearly indefinitely. It also suggests to me that remodeling old tech might sometimes be bureaucratically preferred over new construction. How many lines of Fortran 77 do you reckon the NSA still has deployed? Of Cobol? Ada?

    My guess is the NSA has some really nasty system integration/ESB/API-genre problems. In addressing these, upper management lacks the technical expertise, but demands solutions, so middle management looks the other way when nerds cut corners on security stupidity (cf. sysadmin privs) to get results.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 26th, 2013 @ 6:30pm

    Fired 900

    I bet the statement about getting rid of 900 sysadmins is like the other "least untrue" hairsplitting -- it means they'll have different job titles, but still be getting a paycheck. Maybe even a promotion!

    I'll also bet that everything that can easily be automated has already been automated. Remember, upper management is always completely fucking clueless.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    toyotabedzrock (profile), Aug 26th, 2013 @ 10:28pm

    Log wipe

    I have commented on several stories here and other places and on g+ that they have no idea what he has in total because he wiped the logs

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    That Anonymous Coward (profile), Aug 26th, 2013 @ 11:12pm

    sudo copy *
    sudo wget Hong Kong boarding pass
    sudo rm log

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 27th, 2013 @ 12:46am

    Lesson nr.1 in ANY company - NEVER P!SS OFF THE SYSADMIN.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Aug 27th, 2013 @ 12:48am

      Re:

      And cutting their job certainly doesn't help...Can't wait to see those disgruntled ex-NSA-sysadmins to start leaking stuff.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Ninja (profile), Aug 27th, 2013 @ 6:00am

    ANOMALIES!!! 1000's OF THEM!!!

    Ahem.

    Hope we see quite a few more Snowdens then.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    ThatFatMan (profile), Aug 27th, 2013 @ 7:23am

    This seemed appropriate here...

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Wesley Parish, Aug 27th, 2013 @ 8:17pm

    This long? What took yous?

    That was one of the first things I realized. You have data piling up, both on the organization, and on its victims. You have people of all different shades of political belief and technological ability. And you have - in every organization - someone disgruntled with something or other.

    Plus you're working in the Security/Intelligence field, where terminating employment sometimes means terminating the employee as well, even in the spy novels (One of the books I read during my misspent youth was about working in Security/Intelligence, and one thing the author pointed out was that anyone with scruples about terminating another spy to save his own life, was worth nothing as a spy.)

    So the chance that someone else will have insurance lying around somewhere, ready to snap the NSA like dry-rotted wood if anything should turn against him? Practically 1.00 confidence interval.

    The chance that someone will then use that information to spruce up his life? .95 confidence interval.

    The likeliehood that nothing Snowden has leaked so far is news to anyone else? Practically 1.00 confidence interval.

    So, what the h*** took yous? You've had all the pointers ... the persecution of Snowden's got nothing to do with security vulnerability as such - it's got everything to do with security theatre.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 27th, 2013 @ 8:39pm

    Thank you captain obvious...

    Yes, the intelligence agencies are very good at hacking - it's their equivalent of the money-making part of their enterprises. As a result, data-collection is where they spend the bulk of their money and place the most brain-power/skills. However, like the vast majority of enterprises, IT administration is simply another cost-center. As such, those costs are controlled to as great a degree possible - moreso given current budgetary trends. This means that administration is happening at "lowest bid" rates.

    The plus side of this is that, while there may be 1000+ individuals that have sufficient access to do something Snowden-esque, there's a very small fraction that have the skills to even begin to try to take advantage of that access. Smaller still is the number that, even if they had the skill to take advantage of that access would not voluntarily nor could be induced to do so.

    You can see this reflected in any IT services organization: the billable guys tend to be the most clueful folks while the back-office guys tend to be lower-tier skills. Think of the guy doing desktop support at a Fortune 500 and that's what the vast majority of the 1000 SAs are like in government IT.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This