Get PJ Media on your Apple

PJM Lifestyle

L'affaire Snowden and (Computer) Security

UNCLASSIFIED, CONFIDENTIAL, SECRET, and TOP SECRET: So not the whole story.

by
Charlie Martin

Bio

July 11, 2013 - 7:21 am

snowden4

Edward Snowden, Remember Him?

This finally takes us back to Snowden, the heroic traitorous whistleblower spy. It’s a lot easier to understand what happened now that we understand just what the context of all this really is. In Snowden’s case, it’s not just the talk about the NSA leaks, but the question of how a mere contractor got cleared for this stuff and how he got access to whatever information he actually has.

So what do we know of his history? He enlisted in the Army, apparently intending to go for the Special Forces, but was discharged after breaking both legs. (It’s been widely reported he enlisted in the Special Forces, but it doesn’t work like that. Four months in, he was in his initial training for whatever military specialty he was looking for.) However, by the time he’s been in the Army that long, he had at least a CONFIDENTIAL and probably a SECRET clearance, those being about as exclusive as a thunderstorm.

This undoubtedly helped him get work as a security guard at the Center for Advanced Study of Language of the University of Maryland. NSA does quite a lot of research in teaching and acquiring languages, because the people they listen to stubbornly refuse to speak English, but this is a very open organization. Still, I imagine it was while he was working there that he got started in the process to get the extended clearance, which took me a year back in the ’70s. Then he was hired by CIA to “work in Computer Security.”

Now we get to one of the things that a lot of people have said: “how did a guy with no college degree and just a GED get hired to work in IT security?” But there’s a basic misunderstanding there: not everyone “working in IT security” is doing research. CIA has a bunch of computers, and they need a bunch of systems administrators.

Would CIA hire someone with a clearance and some computer skills, but no degree? You bet your ass they would. Especially for a sysadmin job. But it’s also the sysadmin job that explains what Snowden may have been able to get access to (and what he probably didn’t really have access to). To explain that we’re going to have to do a little more exposition, this time on computer security in this world.

Like everything in computer science, there’s some math involved, but I promise I won’t go into it much. Here’s the basic idea. When you examine all the rules for sensitivity levels and classifications, it turns out that the real classification of some chunk of data is composed of three parts:

(sensitivity, channel, codeword)

So one file on a computer might be marked “UNCLASSIFIED, carrier pigeon only, alpha” and another file might be “SECRET, regular channels, none.” All of these lists of three things, “triples,” exist in a relationship technically called dominates — if one triple is “more classified” that another triple, the first triple “dominates” the second.

There is an example of this in the NSA slides Snowden released; the Washington Post has published some of them. This one is marked “Top Secret, SI, NOFORN,” where SI is the channel.

These form a partial order which just means that we can’t always compare two elements and see which dominates the other. That Wikipedia article has a good example in street addresses: you know that 300 Pike Street is a higher address that 100 Pike Street, but you don’t necessarily know where 300 Pike Street is compared to 300 Walnut Street.

What’s important, though, is that in general, to have access to information marked (X,Y,Z) you have to be cleared for X, have access to special channel Y, and you have to be individually “read into” information for codeword Z. But it turns out to be convenient to define two special markings, system high and system low. System high is simply defined to be higher than everything else, it dominates anything; system low is dominated by anything. UNIX geeks will recognize system high as being just like root or “superuser” access.

In a real system implementing this scheme, what’s called a multilevel secure system, in theory you control the access to each marking, each compartment, separately. So you restrict the access privileges for even the system administrators so they can only deal with certain information.

This quickly runs into the PITA problem, though, as you get more markings and time goes on. The sysadmin for (A,B,C) goes on maternity leave, and someone has to take up the slack; a new compartment is added, so someone has to get access, which normally means being “read into” the particular program or codeword, which takes paperwork; the ambassador forgets his password, and doesn’t have time to go through the secure process so someone has to be able to set the password for his account for him. Bit by bit, as people get sloppy over time, it turns out that there’s usually someone who has system-high access, “root” access. (One of the few commercial systems that supports this completely is Oracle’s Solaris operating system. I’ve set up a number of systems with the full access control, which means there’s not even a root account; I don’t think that has lasted a day on any system I’ve seen.)

I’m willing to bet that Snowden ended up — possibly with some quiet pushing on his part — with access to a system-high account, from which he could see anything on the system.

Comments are closed.

All Comments   (26)
All Comments   (26)
Sort: Newest Oldest Top Rated
"If you then find out they’re tone-deaf, you’ve got something."

The Drummer?

I don't know when you last worked on that side of things, but today (or at least as of November when was supposed to have been read out of a TS/SCI job) they don't call it "code words" any more, and what you call a channel is, for some stuff, called a "compartment" and the last bit is the distribution.

So you might have something marked SECRET//CI//Twelve Nations where CI is the Compartment Initials, and Twelve Nations is a pre-specified group of nations/partners. For the record I made the CI and Twelve Nations up because the names of compartments are classified and I don't remember if the distributions specifically are.

As to how someone w/out a degree got a job at the CIA, I do not have a degree in anything related to the technical side of computers--I have a degree from a fine arts college, but I had 10 years of experience in the industry and got a TS clearance while in the reserves.

In the days easy drugs and loose morality it's not easy to find folks who can pass a TS background check, and the contractor companies don't care how good you are as long as you're good enough that the customer doesn't complain. Heck, for them your inadequacies are extra money--the more work you don't do the more justification there is for another body, which they get paid for.

I know plenty of people at the various jobs I worked that flat out would get fired in any small to medium sized company, and a few who should have been sued for fraud when they claimed to be computer techs. f

And once you're hired the intelligence agencies largely use the same computer systems everyone else does. Once you have access to the LDAP store (Be it active directory or "real" LDAP) you can manipulate your access at will. And if you're in an older enviroment that hasn't upgraded to role based ACLs it's even easier. Most people in the government--like most people everywhere--have NFC about computers.
1 year ago
1 year ago Link To Comment
Well written article, thanks for hashing out some of the details for us.
1 year ago
1 year ago Link To Comment
Excellent job explaining the classification labyrinth and some points of failure in less than book length! The system is built by humans and so subject to human failures. (no one is on guard 24/7/365 no matter how important it is that they should be) There are systems defined but, as with nearly all security measures, they are ignored or bypassed for ease of use. As always no one thinks it will ever happen to them and it's okay "just this once".

The biggest take away from all this mess, something we should not ever forget: "digital exhaust" (thank you Dan Geer for the excellent visual reference) is often times far more important than content when gathering intelligence information.

Whether it's the NSA gathering metadata on cell networks or a slide show publicized by Snowden of methods used, it is very likely far more damaging than wiretapping the President's phone.
1 year ago
1 year ago Link To Comment
Your explanation of classification levels and compartmentalized information matches my experience when working in a SCIF for many years.

For what it's worth, the "NOFORN" in “Top Secret, SI, NOFORN” is not a code word; it's a further description of the channel. NOFORN means No Foriegn Nationals may see the document/information. So it is information that would not be shared even with our allies (eg, British intelligence), even if our ally was otherwise cleared, but rather is for use only by and in the USA.
1 year ago
1 year ago Link To Comment
Yeah, I was kinda hoping no one would notice that I sort of blurred that over -- it seemed hairy enough as it was. Thanks for explaining it.
1 year ago
1 year ago Link To Comment
Nice Job, Charlie contextualizing the world Snowdon worked in. You confirmed a fuzzy suspicion when you pointed out that his world boiled down to theoretically water tight Unix permission structures, and the whole thing begins to turn to mush when someone goes on maternity leave and five personnel changes later it's porridge. I remember a guy who was a radio operator in the Naval Air Transport in the 50s and the Russkie radio operators on the trawlers always always knew the names of everyone on the plane because they had the crew lists. He gave as good as he got in the inevitable banter (they still used Morse then) but was always frustrated because all he could call them was Ivan because he didn't have their crew lists.

I also hear your self recognition that you had a lot less judgement yourself when you were 29, which as a 70 year old I can confirm is equally true of myself. I remember seeing a billboard put up by the Indonesian religion Subud when I was in my 30s. It said "If you want to change the world, first change yourself." That was a memorable moment for me. ;-)
1 year ago
1 year ago Link To Comment
Reading Martin's account here of these onion-skin layered complexities, inside the compartmentalization of the individually separate levels of three divisions of each classification, do y'all see where I'm going?, of "classified" stuff was itself dizzying. I'd guess that there's even more to it than this, depending on the........uh oh, here we go again down yet another path.

The conclusion seems to me to be that this is one helluva humongus organizational Catch-22, very damned if we do, even more damned if we don't.

Frankly, Snowden should be skinned alive, slowly, along with this whole Greenwald/Guardian outfit. WikiLeaks/Assange/New York Times/Washington Post each in their separately designated compartmentalized Circles of Hell are, of course a separate subject.

Unmentioned so far is the stark tragedy of how many American lives have now been put in jeopardy.......all because of an individual's smug certitude.
1 year ago
1 year ago Link To Comment
"The conclusion seems to me to be that this is one helluva humongus organizational Catch-22, very damned if we do, even more damned if we don't."

You are one of the few people I've seen on the Net that gets this.
I keep asking people...What do You Want To Do?...no answer...at least no real answer.

"Frankly, Snowden should be skinned alive"


If I find a downside, I'll let you know. :-)
1 year ago
1 year ago Link To Comment
"This quickly runs into the PITA problem, though, as you get more markings and time goes on. The sysadmin for (A,B,C) goes on maternity leave, and someone has to take up the slack; a new compartment is added, so someone has to get access, which normally means being “read into” the particular program or codeword, which takes paperwork; the ambassador forgets his password, and doesn’t have time to go through the secure process so someone has to be able to set the password for his account for him. "

One of the things I have learned from reading history is...Something Always Goes Wrong.

Also something needs to be done over this...
"Add to that, no one was ever fired for classifying something too highly."

It appears, looking from the outside in that many times something is classified not so much that it might endanger the nation, but would endanger someones career.

As always I reserve my God given Constitutional right to be Wrong
1 year ago
1 year ago Link To Comment
It appears, looking from the outside in that many times something is classified not so much that it might endanger the nation, but would endanger someones career.

Oh hell yes. Or because it's easier to classify something than to decide what really should be classified. Or you get a Major Major who would classify used toilet paper if the smell didn't get to him.
1 year ago
1 year ago Link To Comment
"Bureaucracy defends the status quo long past the time when the quo has lost its status."
Laurence J. Peter
1 year ago
1 year ago Link To Comment
As far as compartmentalized, when I was in the Service I was a Radio tech. This required a secret clearance. With that, I could repair just about any radio we had. At one time I was sent on a wargame to Australia. We didn't have enough Crypto people to spare so they called some of us in to learn how to operate the Crypto equip. The key word there is operate. While in the field one of our Crypto units broke down. I was told to fix it by my Lt. I told him I didn't have the clearance to go inside it. I had to repeat this until I got to the Battalion Commander who had the authority to bump my clearance up so that I could open the equipment. The fun part was that the problem wasn't on my side my equipment was working perfectly.
At another time I was working a radio relay site in Vietnam. While doing a comm check I happened on a conversation between the Battalion CO and the Regimental CO about a patrol we had out and giving their coordinates in the clear over the phone. Funny how at just that moment they lost their comm. I didn't go back to see if they got the hint after I opened the channel up again but the patrol came back safe.
1 year ago
1 year ago Link To Comment
The "Crypto for Use" Access is a distinct, separate club. You should have been sprinkled with that flavor of pixie dust if you were called on for that duty.
1 year ago
1 year ago Link To Comment
Yes indeed, and there's an excellent example of privilege elevation for PITA. Thanks.
1 year ago
1 year ago Link To Comment
For now ... it's enough to know that Snowden provided some interesting information. Obama and his cronies are NOT transparent in truths, but they're more than transparent in transgressions against the constitution. How come the administration aren't up for a lynching? Snowden has yet to PROVEN guilty of anything ... right?
1 year ago
1 year ago Link To Comment
Certainly not proven in a court of law -- but those slides that he admits giving to Greenwald are marked TOP SECRET/SI. That sounds like an admission of guilt to me.
1 year ago
1 year ago Link To Comment
The following message is UNCLASSIFIED, based upon the requirements under E.O 12958.

(U) Even somebody with sysadmin privileges should leave an audit trail of access for other sysadmins to review.

(U) Somebody(s) did not do their job(s).
1 year ago
1 year ago Link To Comment
The problem is a root (aka "Superuser") user has the ability to manipulate the audit logs to eliminate any evidence of his/her activities. There are tools that provide the capability to capture such audits before they can be cleaned up, but in 30 years working in DoD and IC, I've never seen a program willing to spend the $ to procure them.
1 year ago
1 year ago Link To Comment
Well, you can make the audits tamper-evident with software, by basically maintaining a chair of cryptographic signatures. Every so often you sign the whole log and then log the signature, so that altering it becomes intractably hard. But the problem with the whole "we'll just audit for that" approach is that someone has to sit down and analyze the audits for suspicious behavior, like a pattern of copying things to external devices. Since Snowden apparently had four laptops and a bunch of thumb drives, there was clearly a lot of suspicious behavior going on.
1 year ago
1 year ago Link To Comment
Yup, that's a fair statement. I would guess the audits are there, but then who audits the audits?
1 year ago
1 year ago Link To Comment
Actually, there's a process and a whole SLEW of requirements for that. It's even Unclassified. Google "NIST 800-53", grab the current version (v4) and look at the entire "AU" (i.e. "audit") requirements. They vary by level of program, and are used in a lot more than the Intelligence Community. . .

But in practice, the only time audit records are SERIOUSLY looked at, is after a sufficiently damaging "Incident". No matter WHERE you are, IC, DoD or even HHS. . .
1 year ago
1 year ago Link To Comment
I worked for the DoD in Baghdad for a while.

We had a multi-million dollar implementation of HP Openview capable of monitoring huge swaths of the DoD network in Baghdad. Not (of course) all of it because no one knew what "all of it" really meant, but still.

The DoD because of it's reactive mindset (and keep in mind this is good) would not do proactive monitoring. They entire purpose of Openview was to provide forensics after.

This was, to a private-sector admin like me, particularly painful.
1 year ago
1 year ago Link To Comment
Oh yeah. Hell, any time there's a problem that's hard to solve, someone just says "oh, we'll just audit that."
1 year ago
1 year ago Link To Comment
View All