On Sep 5, 2013, at 7:14 PM, John Kelsey wrote:
> My broader question is, how the hell did a sysadmin in Hawaii get hold of 
> something that had to be super secret?  He must have been stealing files from 
> some very high ranking people.  
This has bothered me from the beginning.  Even the first leaks involved 
material that you would expect to only be available to highly trusted people 
*well up in the organization* - they were slides selling capabilities to 
managers and unlikely to be shown to typical employees, cleared or not.  My 
immediate impression was that we were looking at some disgruntled higher-up.

The fact that these are coming from a sysadmin - who would never have reason to 
get legitimate access to pretty much *any* of the material leaked so far - is a 
confirmation of a complete breakdown of NSA's internal controls.  They seem to 
know how to do cryptography and cryptanalysis and all that stuff - but basic 
security and separation of privileges and internal monitoring ... that seems to 
be something they are just missing.

Manning got to see all kinds of material that wasn't directly related to his 
job because the operational stuff was *deliberately* opened up in an attempt to 
get better analysis.  While he obviously wasn't supposed to leak the stuff, he 
was authorized to look at it.  I doubt the same could be said of Snowden.  
Hell, when I had a data center manager working for me, we all understood that 
just because root access *let* you look at everyone's files, you were not 
*authorized* to do so without permission.

One of the things that must be keeping the NSA guys up night after night is:  
If Snowden could get away with this much without detection, who's to say what 
the Chinese or the Russians or who knows who else have managed to get?  Have 
they "spiked the spikers", grabbing the best stuff the NSA manages to find?

                                                        -- Jerry

The cryptography mailing list

Reply via email to