How Snowden got the NSA documents

How Snowden got the NSA documents

Summary: A report confirms what was likely all along, that Edward Snowden's contractor job gave him unrestricted access to a mountain of sensitive materials for which he had no legitimate need.

SHARE:
23

It's been known for a while that Edward Snowden was a systems administrator for Booz Allen Hamilton doing contract work for the NSA when he obtained the documents which he subsequently leaked to the press. But how did he get at these documents? NBC News has an investigations story on "How Snowden did it" which purports to explain.

The story reveals the problem, although incidentally to their focus on a red herring. The culprit, according to the story, was Snowden's access to NSA systems, from his Honolulu location, through a "'thin client' computer". The story does not name the specific thin client technology used, but the most popular would be products by Citrix, such as their VDI-in-a-Box. These products allow a user to connect using a special client program to a server which runs numerous virtual desktop sessions, each of which appears to be a Windows desktop system. Windows Server comes with a similar, if less-capable technology.

It sounds as if Snowden had such a connection to NSA servers back at HQ in Ft. Meade, MD. He was able, using this connection, to download documents and place them on USB keys which he could then take elsewhere. It's all very much the way Bradley Manning did it many years before.

But there's nothing inherently insecure or old-fashioned about thin clients, as the NBC News story claims. Thin clients, properly managed, can be a very secure method with which to give limited access to users.

The problem in this case was not the client or access method, but the management policies. According to NBC News:

A typical NSA worker has a "top secret" security clearance, which gives access to most, but not all, classified information. Snowden also had the enhanced privileges of a "system administrator." The NSA, which has as many as 40,000 employees, has 1,000 system administrators, most of them contractors.As a system administrator, Snowden was allowed to look at any file he wanted, and his actions were largely unaudited. "At certain levels, you are the audit," said an intelligence official.

1,000 is a large number of people to grant such privileges. It's not clear what Snowden's duties for Booz Allen Hamilton were supposed to be with respect to NSA access, but it's unlikely that he would need such broad access.

The intelligent way to manage such a system is to have a multi-level hierarchy of administration, limiting the access of the vast bulk of administrators to documents and systems for which they have a legitimate need. The higher up the hierarchy you go, the more access an administrator would have, and the more closely security personnel could scrutinize their moves.

Right now, based on the NBC News article and what Snowden was able to get away with, it appears that very little scrutinizing is going on at the NSA. With 2 levels of security access, "Top Secret" and "Unfettered", it's surprising that a Snowden-like leak didn't happen long ago. Perhaps it has happened, but all of those leakers went straight to the Chinese and Russians and didn't bother with the press.

It's especially disturbing that Snowden was granted not only access to all the documents he wanted, but permission to copy them to local storage. For a long time, mainstream management systems have allowed enterprises to control whether clients, including thin clients, could copy data to local storage.

The analogy above to Bradley Manning is shockingly apt. In spite of a history which would give pause to anyone who examined it closely, Manning was given access to a huge library of sensitive materials and permissions to copy it to local storage. Same with Snowden.

It's long been a basic principle of security that you compartmentalize access to sensitive data. This goes back long before computers. 3 years went by between Manning's leaks and Snowden's, and nothing appears to have been done to restrict the access to sensitive data. It may be that the NSA has been negligent, but it may also be that there's just too much sensitive data. Probably both.

Topics: Security, Virtualization

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

23 comments
Log in or register to join the discussion
  • if they are negligent with "top secret" what about personal information

    Based on this revelation it is safe to conclude that personal information that is collected can also be accessed at will. i.e. it is easy to abuse the system and violate the average citizen's privacy. Reminds me of the "General Warrants" of King George and its abuse by the rank and file custom agents

    https://www.eff.org/files/filenode/att/generalwarrantsmemo.pdf
    kpthottam@...
  • 'top secret' negligence

    Then again, we have traitors like Manning and Snowden who have betrayed families, community, country... They will both be citizens of the Siberia in their soul forever. There is some comfort in that.
    ElYacare
    • Tell us more

      Please provide us with examples of "Manning and Snowden who have betrayed families, community, country... "

      The jury is still out whether or not they have helped or hurt the country. Taking a survey of the comments on this and other forums, there appears to be a consensus that they have helped America rather than hurt it.
      Astringent
    • LMAO

      Such posts as yours in response to an article about Snowden are like moths to a flame. Why do you not name those who are abusing their positions of power as traitors? And do you suppose they teach about the US Consitution and Whistleblower laws in the "nation of The Siberia"?
      hmmm,
    • Except they're not traitors

      They are the 21st century equivalents of young Ben Franklin, newspaper publisher in the American Colonies. They're not the brightest guys on the planet, but they do have the capacity to see that something is wrong with the system, and to speak out about it.

      Which is a hell of a lot more than the folks at Abu Gharib did.
      Dr_Zinj
  • Tell you what .....

    Tell you what: Lets allow ALL of our "secret people" to access ALL of our "secret documents". What could possibly go wrong?

    Twats! ... They had it coming.

    In fact, its SO stupid as to be unbelievable and strongly suspect it wasn't an accident.
    Something about forcing the "ragheads" to use 'Osama bin Laden style' humans and mopeds for secure communication, I reckon.
    P0l0nium
    • Not exactly Shakespeare but pretty accurate!

      The problem is that management believe that just because they have a policy, that the problems are solved. If you look at the simple example that there is a (law) policy against killing, however everyday thousands die around the world. The only way to stop these kinds of incidents is to firstly engage with your colleagues and create safeguards that safeguard your information without preventing them from doing their jobs.
      Whilst I don't hold with what Manning and Snowden did, I do think we need whistle-blowers because the behaviour of the government, and some of the soldiers, was definitely unacceptable, and needed to be revealed.
      andrew.cowan@...
    • First Offensive Revisionist History about the use of th term "Palestine"...

      ...and now someone saying "ragheads". Wow. I feel like Zdnet's comments are being taken over by Alan Jones fans.
      hmmm,
  • Snowden

    "... it's surprising that a Snowden-like leak didn't happen long ago. Perhaps it has happened, but all of those leakers went straight to the Chinese and Russians and didn't bother with the press."

    there is another possible explanation why 'snowden-like leak[s] didn't happen long ago'. i would bet that many government employees in sensitive positions of trust take their contract obligations and loyalty to our country seriously and see the need to safeguard important information to protect our nation who trust our democratic system to safeguard the privacy needs of our citizens and who are not quite as consumed with self-importance as some co-workers.
    grasspress
    • Regarding taking job seriously,

      Let's remember that he has said he took the NSA job specifically so he could get access to data and disclose it.
      Rick_R
  • I find it very hard to believe that the NSA...

    Doesn't have more than 2 tiers of security clearance. It's far more likely that he either required the rights he was given in order to do whatever he was brought in to do or that someone just gave him more rights than he needed.

    Furthermore. Stopping someone from saving said documents directly to local storage would just annoy someone who was working remotely. It wouldn't stop them from getting the documents some other way. Hell, even my grandma know how to hit CTRL+PrtScn and past it into paint.
    mrefuman
    • Actually...

      There are many products which can block clipboard access and it's a commonly-available security policy.
      None of this stops you from taking a picture of a screen or hand-writing what you see on it. But those methods are impractical for large volumes of data.
      larry@...
    • clearance levels

      I agree, BTW, that it's hard to believe they just have 2 levels. I suppose they may have more and Snowden was granted the "God" level and the NBC article is misleading in this respect. But even if that's true, it speaks ill of their scrutiny of those to whom they grant such access, especially when they grant it to someone operating remotely.
      larry@...
    • Hey everybody - look over there!

      There are many levels above Top Secret which calls into question just how dangerous the information that was availble to Snowden actually is.

      It probably suits the NSA to have us all think that this information is earth-shattering. It probably also suits them to increase the level of paranoia in society.

      I guarantee that what has been released so far has barely scratched the surface of the thin skin of the apple. It will take quite a bit more to get down to where the actual meat begins to be exposed.
      Astringent
  • Copying to local storage - how to prevent, exactly?

    You say:
    "It's especially disturbing that Snowden was granted not only access to all the documents he wanted, but permission to copy them to local storage."

    Well, if you can read it then you can copy it - photographing it on the screen via a mobile phone if *really* necessary. I remember trying to have an email conversation once with a contractor who (for some unknown reason) liked to prevent his messages from being quoted in any reply. And so I just attached a screen-capture of his original mail to my reply instead.
    Zogg
    • Its easy if you keep morons out of management.

      However with the multitude of drooling basket cases inhabiting every office in the federal gov, nothing will ever change.
      Reality Bites
  • Yes, I know how he got them

    He copied them to flash memory card and took them home.

    Actually, all these events are intresting to me, for several reasons:

    The first one is the fact that we don't see computer viruses anymore, because all people who are capable to write viruses are employed now and they have no time to make them just for fun. So Snowden and other leakers are some sort next turn in evolution, they leak data for reasons irrelevant to personnel wealth and this tendency should scare people who consider that everything is only about money.

    2. When I see movies like "mission impossible", they make me smile because only ultimate idiot would keep secret list of all agents in one database. So the worst already happend, America does keep all secret materials on hard drives, so Snowdens can leak them out. Idiocracy rules ...
    Nikolayev
  • Step Back and Look At The Bigger Picture

    The Edward Snowden and the Bradley Manning security breaches are just symptoms of a much bigger problem. I worked in the DOD and saw it first hand. The federal government calls it business as usual. I call it incompetence overseeing incompetence. The government is massively top heavy in management. They have layers upon layers of management. Some bosses may only supervise two or three people and they constantly promote from within which has put a lot people in charge of things they don't understand. Upper managers promote their golf buddies who then promote their bowling buddies and drinking buddies and so on and they keep creating more and more supervisory jobs over not that many people who are actually doing the work.

    This effectively mires down the process of the government doing it's job in more bureaucracy then most people can even visualize. There are so many managers playing office politics and trying to build their own little kingdoms and so little oversight over the whole mess that all kinds waste and security breaches can happen because the left hand doesn't know what right hand does and the right hand may not even know it has five fingers. The Veterans Administration is a good example. The massive of mount of paper documents they still generate in this computer age is incredible because they still print out and file almost everything that is entered into the computer for storage. The government has used computers for over fifty years and still can't get different systems to communication with each other without a bunch of software bridges which is really a half-assed way of doing it. So, they have massive redundancy of everything including secure documents as well as countless back doors into most systems in most agencies. So, it really doesn't take that much of a genius to find a way to get into anything, especially if they are one of the programmers writing all of the crazy software to make different data bases compatible.

    Ever have a boss that doesn't know what you do for living? Happens a lot in the federal government. As long as they pass a background check and make something close to a pinky swear, almost any federal worker can access secure documents. There are probably a lot of Snowdens and Mannings in the government writing the software and operating the different computer systems and there is little chance of management providing effective oversight because they often don't know or care about what the system operators do. If you think these breaches are bad, just wait until some disgruntled programmer unleashes a Trojan Horse from within. Stay tuned.
    snerdguy
  • Snowden Used the System as it was to be used

    It's not that complex. Most of these document were likely sent as attachments between NSA, Congressmen, the president, CIA, Judges, Lawyers blah blah blah. Snowden just had to log on the Prism system and start reading or querying emails. He probably read Obama's email or Clapper's email or followed emails to the FISA court distribution list. He likely used the Prism system to do what it was supposed to do.

    Assuming that this is what he did. Is the NSA going to tell everyone that they are spying on Obama? For you fools that say no way. They were reading Clinton's emails last year.
    Abraham Jefferson
  • Nobody Seems To Care About The Abuses He Has Exposed

    It's bizarre to see this ongoing preoccupation with Snowden and how he got those secrets, with almost no attention being given to the content of his revelations. The people of the US and the rest of the world are being spied on wholesale, but that seems to raise barely a murmur.
    ldo17