back to article REVEALED: The gizmo leaker Snowden used to smuggle out NSA files

Whistleblower Edward Snowden apparently used a USB thumb-drive to smuggle out hundreds of top-secret documents before he blew the lid off the NSA's web-spying project PRISM. This is despite the Pentagon's clampdown on the gadgets. Unnamed officials told the Los Angeles Times that they were well on the way to figuring out which …

COMMENTS

This topic is closed for new posts.
  1. John Sturdy
    WTF?

    Root password, sure, but why wasn't the data encrypted?

    I don't have problems with "lowly" sysadmins being able to move data around, add devices, etc (after all, it's part of their job) but there's no need to keep the data in a form in which those who move it around can look inside it.

    Gumbyshire County Council staff failing to encrypt sensitive data is a problem, but unsurprising (they're not recruited for security-related stuff) but the CIA? WTF?

    Ah, yes. Perhaps they're recruited to analyze data, not keep it secure?

    1. Anonymous Coward
      Anonymous Coward

      Re: Root password, sure, but why wasn't the data encrypted?

      I used to work for a company that worked with classified data. The security requirements around access to Secret data on computers is largely the same as that for paper documents: a secure site, door locks, badge access, safes, etc. The PCs we used were on a self-contained network kept within one room for our project (no internet access, obviously) and the main security mechanism that the machines had removable hard disks which were counted into and out of a safe whenever you left your desk.

      Encryption was only used for sending the occasional file over a secure telephone link (not attached to the network) to partner companies working on the same project. The PCs were just standard Windows PCs without disk encryption of any sort.

    2. Lee D Silver badge

      Re: Root password, sure, but why wasn't the data encrypted?

      It's not even that that worries me.

      Why are they using commodity systems with things like Windows on them? Why are there even USB ports PRESENT on the damn machines? Why would they even want an internal motherboard header for something like USB at all. And, where present, why isn't it completely impossible - in software - short of compromising the system to even bit-bang some pins to provide any semblance of a USB storage device to the machine.

      It seems that the problem isn't rogue people - they exist and you can't stop them existing. It isn't security clearance - the people who want security clearance the most and will try the hardest to get it are those that shouldn't have it at all. It isn't the presence of auditing software that monitor keystrokes - which is all after-the-horse-has-bolted. It's the fact that it's even possible to insert, and have recognised, a bog-standard, off-the-shelf USB device that data can then be placed onto (apparently unquestioningly for a sysadmin, even though there's supposed to be a distinction between controlled data and not, and there should be LOTS of alarms going off at even the attempt to access controlled data on a machine that has a removable storage device - let alone actually allowing the copy to happen!).

      You shouldn't have high-up ranks issuing orders along the lines of "don't use removable storage", it just shouldn't be possible. You're providing the kit. You're sourcing this kit for military purposes. You call the shots. And if you only want it to communicate with, say, storage devices that can only copy encrypted data in it's encrypted form (and the systems themselves have to link that with credentials / other devices enough to decrypt it), then that's what you buy and that's what you issue and it doesn't matter what Joe Bloggs brings in with him from the local Maplin's, that's all he can interface with and what he has to defeat.

      Hell, the case against DRM in consumer devices is HUGE, but why aren't these military devices using TPM - or equivalent - secure-booting, authenticating all external devices, not even able to physically, logically, or "hackably" be able to provide a USB storage device on them from an unlicensed device, etc? I'm not saying you'd ever make it completely "unhackable" but nobody, nobody!, on a secure system should be able to do anything to entice it to copy controlled data onto a USB storage device that they've bought down the shops.

      It's utterly ridiculous. Turing would be turning in his grave or (if the German's were doing it) extremely grateful that the enemy were that stupid.

      1. Tom Wood

        Re: Root password, sure, but why wasn't the data encrypted?

        @Lee D - computer systems in gov't organisations, even highly secretive ones, are not like those in the movies. They're basically the same as those in any large organisation. Some will be new, some will be old, some will be in dire need of replacement. They have USB ports on them for the same reasons as the PC on your desk has USB ports on it.

        They run Windows because most of the time the work done on them will be done using MS Word, Excel, etc. Specialist tools will be Windows GUI based apps because the companies and engineers who develop them are good at writing Windows apps and the staff who use them know how to use Windows apps. And so on.

        And the whole point of background checks, security clearences etc is that you're supposed to be able to trust people who work with such data (and are granted unsupervised physical access to it) to keep it a secret. Even without USB ports, someone who is really determined to get data out of a secure enviroment will do so one way or the other.

        1. reno79

          Re: Root password, sure, but why wasn't the data encrypted?

          It's very easy to remove access to USB entirely, either physically or through software. What I'm more shocked about it the apparent lack of a File Access Monitor.

          Surely an organisation like the CIA can afford access to even a basic one of these to report if someone is copying stuff off site? I'm not experienced in the slightest when it comes to this stuff, although I have played with a few from the big vendors in this market and they're well within the budget of US.GOV.

          1. Theodrake

            Re: Root password, sure, but why wasn't the data encrypted?

            Because with Windows releases up to Server 2000 don't distinguish between actually reading a file and opening a folder. Open a folder on a Windows 2000 file server and for every file in that folder you get a read hit for the AD account that opened the folder. Also every sub-folder and every file in every sub-folder will generate a read event. So many events are generated that you need to up the hard disk requirement by 50% just to record the events, let alone attempt to generate a decent alert or two, instead of 1,000s.

      2. Anonymous Coward
        Anonymous Coward

        Re: Root password, sure, but why wasn't the data encrypted?

        Back in the mid-90s when my piece of the military was beginning to go online I found myself going constantly from machine to machine with antivirus updates on a floppy in order to cure them of the latest infection. At that time I recommended adding software at the server level to scan for such attachments and stop the problem there. I was told that it was too expensive. In the mid 2000s I recommended using software to control port access and prevent use of USB or other external media devices on military computers. Software solutions were deemed too expensive, just tell people not to do it. Basically the issue is that leadership fails to listen to the people who are closest to the problem and lacks the ability to see the consequences of that failure.

        1. Joe Montana
          FAIL

          Re: Root password, sure, but why wasn't the data encrypted?

          Software like this has no reason to be expensive, its simply overpriced.

          Prevent access to USB? Just remove the USB drivers and the system will ignore the ports and only someone with suitable privileges would be able to reinstall them.

          And incidentally, USB devices are used because they are most convenient, if you block USB them people who want to extract information will use other less obvious ways.

          If you leave USB enabled, but keep a log of any data written to such a device then you stand a better chance of catching someone who will often just use the easiest method to extract data. If you disable USB and assume that's an end to it, then the attacker will either find a way to re-enable it (which you wont be expecting or monitoring), or find some other way to get data out which again is less likely to be noticed...

          How many organisations control what you print? How many do it in a half assed way (eg your supposed to print through a printserver which logs, but its possible to connect directly to the printer which doesn't).

          How many will do an adequate search to ensure you don't enter the building carrying a tiny camera, audio recording device, modem, wireless transmitter etc?

          How many sites are in such locations that would make it impossible to throw something out so that it clears the perimeter fence and falls on public land where it can be collected later?

          How many networks are connected to the internet and just restricted by firewalls, and how secure are these networks? In many cases its possible to get *something* out which could be used as a covert channel, and in even more cases its easily possible to compromise the local network to such a degree that you are able to modify the firewall rulesets to suit your purposes. The average windows network is horrendously insecure, and firewalls while generally much tougher unix based systems are often administered from windows workstations which sit on a trivially ownable domain, likely the same domain as end user workstations.

          You are only as secure as the weakest link, and yet many organisations waste millions trying to strengthen areas that were never their weakest link in the first place.

          1. cortland

            Re: Root password, sure, but why wasn't the data encrypted?

            -- and only someone with suitable privileges would be able to reinstall them. --

            Ah. You mean like a SYSADMIN? Oh, wait... wasn't he one?

        2. Fatman

          RE: Re: Root password, sure, but why wasn't the data encrypted?

          Basically the issue is that leadership fails to listen to the people who are closest to the problem and lacks the ability to see the consequences of that failure.

          What you have described sir, is better known as damagement, the bane of IT existence worldwide.

      3. This post has been deleted by its author

        1. Anonymous Coward
          Anonymous Coward

          Re: Root password, sure, but why wasn't the data encrypted?

          I work for a healthcare provider. We have software that controls your ability to WRITE to removable media. Seems like that is all you need... you can read all you want, you just can't export it.

          1. Anonymous Coward
            Anonymous Coward

            Re: Root password, sure, but why wasn't the data encrypted?

            What's stopping people taking photos of the screens? There's usually a hack whatever precautions you take.

            1. Soruk

              Re: Root password, sure, but why wasn't the data encrypted?

              You'd also need to ban access to any form of printing device - google "optar" for an example why.

          2. Joe Montana
            FAIL

            Re: Root password, sure, but why wasn't the data encrypted?

            So you can't write to removable media?

            What if you read some exploit code from the removable media, and use it to elevate your privileges such that you can disable the aforementioned software?

            Also, since such software is likely a userland application rather than a kernel option, if it crashes you regain the ability to write...

        2. Anonymous Coward
          Anonymous Coward

          Re: Root password, sure, but why wasn't the data encrypted?

          "Find me a modern wired mouse or keyboard that is commercially available, today, that doesn't use USB."

          I work in government, and our software policy is set that USB keyboards/mice work as normal, but if you plug in a USB storage device it will only mount if it's an approved device supplied by the IT dept and you have the right software installed (which you need to have a business case for)

          While it won't stop rogue admins from abusing the system, it makes it easier to track down who has access to a particular share b[]and[/b] has USB storage rights.

          1. This post has been deleted by its author

            1. Anonymous Coward
              Anonymous Coward

              Re: Root password, sure, but why wasn't the data encrypted?

              "That's fine, until some smart-arse boots from a thumb drive/CD/DVD and simply copies the data they want using the booted OS."

              That is where 802.1x comes into play. You can boot that OS, but the computer won't be on the network.

        3. Anonymous Coward
          Linux

          Disable USB for mass storage ...

          Add the following line to blacklist.conf

          modprobe -r usb_storage

          1. Wrong ended schtick

            Re: Disable USB for mass storage ...

            The elegant solution in 'nix, but anyone with root access can chg your settings too... Just like anyone on windaz can mod the registry. You can define all these controls in policy, but organised crime, hackers and those w enough balls to act to defend freedom in our not so free now (and worse to be soon) society, can still circumvent.

            There is no such thing as a secure system. Private data has to be managed as private data, else it will become public. The real problem here is more about what data governments want to keep secret:

            Apart from their citizen's personal information, what data should they even be allowed to keep secret and for how long- if they are doing the right thing? As they tell us they are...

            The problem here is two fold; the amount of seriously bad stuff governments are doing and the amount of data theyre classifying as secret. They store most of it as secret as no one tells them not to (and they're proven to be no better at managing their data bloat than the average MOP (member of the public)... Being able to keep it secret removes a lot of the onus on them to do the right thing.

            Wholesale Data Surveillance like PRISM, corporates sharing Customer activity and assigning Universal unique IDs to everyone, ISPs like Telstra storing customer usage details and comprimising their customer's private data- all of this combined with constant surveillance makes the problem exponentially worse.

            Turning the Net into the world's primary surveillance system is totally unsustainable of course. But they don't care. And how will it end for us? So why accept it now? Why allow them to keep shooting the messengers and turn so many people against us when we should be using this time of prosperity and opportunity to bring Nations and people together?

            Until we expect more from those who govern (and tell them so) all this will combine with population and resource challenges to end in cataclysmic permawar. Our spooks don't want this, but they don't see it either.

        4. peter 45
          Facepalm

          Re: Root password, sure, but why wasn't the data encrypted?

          Where I used to work all of the USB ports were glued up to prevent us saving files to USB sticks..........well all of them except the one used for the mouse and keyboard. The OS even had the drivers still present.

          We pointed out this stupidity and the official response was to tell us that installing a customised OS was too difficult/expensive and to issue a dire warning against using the USB port for anything other than the keyboard/mouse.

          Sigh

        5. Happy Hippy

          Re: Root password, sure, but why wasn't the data encrypted?

          Purchase Ps2 cards, mice and keyboards. Bung up usb ports with epoxy. Remove cd/dvd writers. Lock cases. Encrypt data. Encrypt data. Encrypt data.

      4. John Savard Silver badge

        Re: Root password, sure, but why wasn't the data encrypted?

        Considering that the NSA happens to have produced - and even distributes to the general public - Security Enhanced Linux, a distribution of Linux which, like Multics, allows files to be labelled with a security level, and then which doesn't allow programs that can read those files to write out files labelled with any lower security level... they've got the software they need to make sure that no classified file gets written out unencrypted to a USB stick.

        They're apparently just not using it.

      5. tentimes
        Unhappy

        Re: Root password, sure, but why wasn't the data encrypted?

        The type of people that join the army are generally pretty dim, a lot of them because they have no qualifications and can't get another type of job. They also usually have a power complex. Anyone I know who has joined the army has been thick as pig shit.

        So, whilst you may see what needs done and have a good assessment of security, military people generally won't. Hence comments like "Ban all removable storage" from the top brass.

        1. Anonymous Coward
          Anonymous Coward

          Re: Root password, sure, but why wasn't the data encrypted?

          It isn't the Army, and neither the physicist nor the computer scientist I know who joined the Army were particularly dim. It tends to be "Government agencies".

          Joining the actual Armed Forces can lead to a messy death, but it can also lead to an exciting career. Working for a security agency on the other hand has no such prospects. Joining the security services and working in IT must be like being down there with the helots. Are the best and brightest going to apply?

        2. cortland

          Re: Root password, sure, but why wasn't the data encrypted?

          ... but you can bet that Tommy sees!

      6. J__M__M

        Re: Root password, sure, but why wasn't the data encrypted?

        It's not even that or that that worries me...

        More like why the hell wasn't there a slightly overweight dude wearing a size-too-small-some-shade-of-blue shirt with his ass parked on a barstool at the dang exit? You know, the guy who lives life only to harass the shit out of people, especially people who happen to live somewhere above his paygrade (everyone).

        Whut's in the bag, nerd?

      7. Charles Manning

        It's called COTS

        In the past these organisations, just like submarines etc, used special hardware.

        Then they found it was hard to keep spares and find people that knew how to service them. A submarine was stuck at Holy Loch for over a week waiting for a special computer to be built, then shipped from USA to UK. Congress would ask why the military was paying $20k for a computer that was slower than the $1k offering from the computer shop down the road.

        So then they decided to go with COTS: use vanilla kit. If something breaks, nip down to the local computer shop and you're going again..... and it is way cheaper.

        Cheaper is a huge factor. That give far more toys per budget.

        If they nobbled all the USB ports then things like mice and keyboards would not work.

        They can make rules, but those soon become ineffectual. The first time some big-wig needs to use a USB stick to copy a presentation to use on the computer conected to the projector, you're screwed.

      8. RykE
        WTF?

        FEDELST

        The practice of disabling USB, although an effective countermeasure for the protection of the casual removal of information, is merely part of the equation, and should not be the sole mode of protection from such threat. More evolved systems including data and resource access controls according to user rights and information classification levels, and intelligent data loss prevention technologies afford visibility and control to the protection of confidential data.

        Eliminating the USB service reduces valuable functionality which the USB interface affords system users and admins. Technologies such as those developed by companies such as SafeEnd and Unatech afford security administrators the ability to implement USB firewalls where only registered devices, and actions can be permitted, and logged. All other actions on the USB channel are restricted and attempts are reported.

        The actions of Snowden and Manning were due to a seachange in policy in US Government internal computing environment where after 9/11 everything went from 'need to know' to a 'need to share'. The US Government had determined that it was more important to have access to tools and information which could aid employees is their ability to identify threat, than lose this visibility due to restricted information access.

        The failure here was clearly due to the lack of any visibility to anomalous behavior, the failure to identify and report access and downloads of volumes of data, access to information not specific to the users job function, and any reasonable level of accountability for security practices.

        It is my opinion that the old 'restrict USB' ethic is dated, and by doing so complicates system administration by eliminating a valuable system resource. I say better management and monitoring is the key here. Besides, no user, with access to any secure environment should be permitted to carry any personal device capable of storing, encrypting, obfuscating or redirecting data.

      9. xpusostomos

        Re: Root password, sure, but why wasn't the data encrypted?

        They are using Windows so that the NSA can break into its secret backdoors. [ chuckle ].

    3. Anonymous Coward
      Anonymous Coward

      Re: Root password, sure, but why wasn't the data encrypted?

      Sorry for being mean, but are we not back accusing the Germans for not telling the truth about Nazi Germany.

    4. larokus
      Facepalm

      Re: Root password, sure, but why wasn't the data encrypted?

      It is hilarious to think my girlfriend/wife porn is more secure in an AES truecrypt partition than the NSA's most torrid secrets. WTF?? They could have easily mapped a Truecrypt partition to their network which would in no way be accessible to sysadmins that have no access to the credentials. And truecrypt is free and open source ffs

    5. Glen Turner 666
      Holmes

      Re: Root password, sure, but why wasn't the data encrypted?

      Some realities.

      Encryption isn't a cure-all, a wand you can wave to solve problems of access to data. Firstly, encryption implies keys. If you are sending the document to thousands of people within the one organisation and the attacker is within that organisation and has sysadmin rights... how long is the key going to stay secure? This is even true for PGP -- in that case you scarf up everyone's keyrings as well as the data and attack the passwords used to secure the keyrings. Secondly, there's still nothing to stop you from copying the data (should someone appear with a key later on). Thirdly, there's nothing to prevent traffic analysis. For example, a lot of files suddenly appearing in the plans-to-attack-libya directory.

      Encryption is an interesting two-edge sword. Take command-line access to a server on a secure network. Should that use SSH. Or should that be forced to use Telnet so that the exact session of the person connecting can be audited? As a result a lot of secret-level systems use less encryption mechanisms than you would expect.

      Disabling USB is difficult, as you can't unilaterally disable the controller as there are interior USB buses within modern computers tying the components on the mainboard together. What you can do is to refuse to mount USB media which hasn't been authorised. That's a bespoke SELinux rule for Linux, or a software hack for Windows. Neither is supported by the operating system's manufacturer, which is an issue for large installations.

      I am not saying that people shouldn't try encryption and blocking access to devices -- a low fence is still a fence. But don't be surprised by the success of an attacker with abundant inside information and access.

      In this case the technology is irrelevant. Let's say both the encryption and the USB were tight. The attacker was determined to leak and would have simply chosen another path. All we can do is to force people in to technologies with higher risk, such as cameras.

      In focussing on these technical matters we're also ignoring the cultural -- the "why" of leaks. When you ask an organisation to act contrary to its mission the organisation betrays the people in the organisation most motivated by its mission. Having that betrayal of the individual by the organisation repaid by betrayal of the organisation by the individual is to be expected.

      1. Anonymous Coward
        Anonymous Coward

        Re: Root password, sure, but why wasn't the data encrypted?

        Its simple.

        They tell the IT guy to lock down USB.

        The IT guy said it was done.

    6. RykE
      Go

      Re: Root password, sure, but why wasn't the data encrypted?

      Data should be encrypted at the file level with user access rights assigned to only those who require access... a la PGP NetShare, as an example.

  2. Anonymous Coward
    Anonymous Coward

    This case asks more and more questions:

    This guy was a $200k a year IT administrator, in a top secret environment, however he had a sex worker girlfriend and wasn't smart enough to check if the place he was fleeing to had an extradition treaty with the USA after he had taken data from said secret environment on a USB drive.

    If I read a story like that, I wouldn't believe it. I can't imagine for a minute you'd get SC, let alone DV clearance in the UK if your girlfriend was a pole dancer. I find it very hard to believe that he could easily sidestep security in the way he apparently has and that Prism has remained secret so long. It's all very odd.

    1. John Sturdy
      Big Brother

      Dr Ruth is no stranger to friction

      "Truth is stranger than fiction, because fiction has to make sense."

      Could you have imagined that NASA management would have dismissed a series of concerns flagged by engineers, resulting in a Shuttle failure?

      A rigged leak is presumably to misdirect (The Thumb Drive That Never Was.) Of course, if it is rigged, one possibility is that the leak is to say "The secret surveillance is X more than you thought it was", to hide that fact that it's actually X-squared more. But I think administrative idiocy is a better explanation.

    2. John Sturdy

      <blockquote> I can't imagine for a minute you'd get SC, let alone DV clearance in the UK if your girlfriend was a pole dancer. </blockquote>

      I don't see that that would be a problem. They're likelier to have a problem with your girlfriend being secretly a pole dancer --- blackmailability is the worry, not overt activities that some might disappove of.

    3. Anonymous Coward
      Anonymous Coward

      This case asks more and more questions:

      Read elsewhere today that he had an account at ArsTechnica where at times he complained about the way the state spied on individuals and how he was going to do something about it.

    4. Anonymous Coward
      Anonymous Coward

      You have jumped to a few conclusions there, who knows what other data he has at this stage? It may well be in his best interest to go to HK, especially as it was mentioned in another article (on Reg I believe) he has data on the US hack attempts at Chinese civilian targets which they said they didn't do. Therefore the Chinese would be very keen on keeping him close!

      Regarding UK clearance, it doesn't matter what your family members/friends do (within reason). The main priority is that you can't be blackmailed. If you're honest in your interview with your clearance officer and on your paperwork then it is generally fine! There would also be a number of factors such as, whether you or your family members have held clearance in the past and whether you have any foreign friends.

    5. Anonymous Coward
      Anonymous Coward

      'If I read a story like that, I wouldn't believe it'

      Agree! With all the resources the NSA has, why are they outsourcing daily sysadmin work to a subcontractor? Surely this is a laughably weak point in human & systems vulnerability? I can understand where its necessary to contract out specialist work that is done in isolation from the daily work of the NSA... But access to broad systems? USB keys? Hello...? Burn After Reading (2008)...

      Moreover the guy appears to have a chequered history regarding IT. He started as a security guard at the NSA??? Now a few years later he's making 200k or 130k depending on who you believe. If he was working on a trading desk at 29 with a mystery past I'd say that sounds right! But NSA security? This is the best the NSA can get? His story sounds more like Gary McKinnon than White-Hat pro...

      1. Don Jefe

        Re: 'If I read a story like that, I wouldn't believe it'

        Within the current government it is en vogue to reduce agency head counts. Even if it actually cost more to outsource the job (almost always does) they have a mandate to reduce staffing levels. It's all a rather silly trick.

    6. Anonymous Coward
      Anonymous Coward

      Could there be a downside to issuing clearances by the million and outsourcing the background investigations?

    7. Anonymous Coward
      Anonymous Coward

      What you're saying is, like Manning, this guy should not have had a security clearance. And you're right.

      And once again, the name "Obama" appears nowhere in the article.

      1. Anonymous Coward
        Anonymous Coward

        Yes, the name Obama should be all over this article, if he can't be arsed to personally do all the checking for every security clearance it's his fault. It's not as if he has anything else to do is it? Oh, wait...

        1. Anonymous Coward
          Anonymous Coward

          Obamafanbois.

          Much like a neutered dog, you don't get it.

          Snowden says that he waited until now to come forward only because he believed Obama's promise that he would cancel this surveillance of Americans - after all, it was part of Obama's platform. Snowden makes it clear that he came forward only because of Obama's lack of action.

          This is about Obama's unwarranted surveillance of Americans by a President that made it clear he would not conduct unwarranted surveillance of Americans.

          Understand?

      2. Fehu

        Please, blighty, take these tea partiers back.

        I'm a coffee addict myself, so I don't fully understand this infatuation with TEA(Tobacco Everywhere Always?), so forgive me if I offend your national beverage. But it just so happens that in the USofA we are being annoyed by a small group of tea drinkers that probably would be much happier somewhere else. Well, I know we would be much happier if they were somewhere else. So, how about it, your majesties? Do us a solid, for old times sake? Offer them all the tea they can drink and get them out of our hair. Thanks

        1. Anonymous Coward
          Anonymous Coward

          Re: Please, blighty, take these tea partiers back.

          I think you'll find they just want to throw the stuff into Boston harbor in the hope it will stop Twinings from exporting any more.

          Why don't you just get on and let them do it?

          On the other hand, we have a "UK independence party" that wants us to leave the EU and become a complete dependency of the US. You wouldn't like that, would you? Please could you offer them resettlement in somewhere where they would fit in nicely - Nevada, Nebraska, say, or North Dakota? All three of our main political parties would be in favor.

        2. Vic

          Re: Please, blighty, take these tea partiers back.

          > in the USofA we are being annoyed by a small group of tea drinkers

          I doubt it.

          I've spent quite a bit of time in the US. It was *very* rare for me to find any tea there - just some pale brown liquid that was almost entirely unlike tea in every respect...

          Vic.

      3. Anonymous Coward
        Anonymous Coward

        To All you Obamafanbois

        .And once again, the name "Obama" appears nowhere in the article.

        11 downvotes just for pointing out that Obama is behind this!

        You know, Obamafabois, you can shove your head in the sand and still get your butt kicked.

    8. Anonymous Coward
      Anonymous Coward

      Just re-read my post: What I was trying to say was not that I didn't believe the story, just that it shows a shocking lack of competence on behalf of that NSA, it's like they wanted everyone to know about Prism. I used to work in a bank and our offices had more strict security than seems to have been the case at the NSA. ie: VMs for workstations where possible, where not if you put a USB stick in it was immediately encrypted so even if you did take it out of the company the data on it would be useless.

    9. David Neil

      Pole Dancer <> Sex worker

      1. Anonymous Coward
        Anonymous Coward

        Pole Dancer != Sex worker

        There, fixed that for you.

    10. Anonymous Coward
      Anonymous Coward

      Firstly, pole dancers are *NOT* all sex workers, some may be sex workers as well as pole dancers though in the same way that the receptionist or cleaner or even your manager may be a sex worker.

      Second misconception, security vetting has nothing to to with (at certain levels) what you get up to within the law, it's about how honest you are and all about how susceptible to temptation/blackmail/coercion. If you're open about your proclivities during the process then you've demonstrated you're not a risk.

      1. Anonymous Coward
        Anonymous Coward

        Actually a pole dancer is a sex worker, that is not however to say that a pole dancer, or indeed most sex workers are prostitutes. A pole dancer uses her (his maybe as well) body to titillate sexually. If they aren't sex workers, why are the clubs pretty much exclusively frequented by men and the pole dancers are as far as I can tell only women?

        Also vetting is very much about what you get up to within the law (amongst other things) for example, if I were having an affair, this would be perfectly legal but would pretty much exclude me from all security vetted positions. Were I into something perfectly legal, but unusual such as poly, where all parties are aware of what's going on, again that would exclude me from pretty much any role. Were I a member of the BNP, I would not be committing a crime, but I wouldn't be getting security clearance either.

    11. larokus
      Devil

      Don't most IT workers do S&M on the weekends to keep self-inflicted gun shot wounds at bay?

    12. Anonymous Coward
      Anonymous Coward

      "I can't imagine for a minute you'd get SC, let alone DV clearance in the UK if your girlfriend was a pole dancer

      LOL, you certainly can get DV with far more left field personal circumstances than that even as a lowly techie, so long as don't try to hide it. Don't forget the pay is abysmal, they will take what they can get.

  3. bag o' spanners
    Happy

    "I'm taking the Cray home this weekend. I need to finish this project before Monday"

  4. omnicent
    WTF?

    "And cloud and virtual infrastructure make the insider problem worse since administrators can access any virtual machine to potentially copy and steal sensitive data or potentially destroy the virtual data centre in the push of a button.”

    hmmm, someone needs a bit more education on how modern cloud and VM based infrastructures work.. who did he say he worked for???

  5. At0micAndy

    quelle suprise

    it can hardly be a surprise to the Security Services that the leaks have come from Trusted SysAdmins. It is the same in many companies, in my experience, ordinary users don't always have access to thumb drives or writable drives, but the 'techies' swan in and around with copies of the OS on a burnt drive or a pen drive. We assume they are doing something proper, but what if they are just using our accounts to swipe data? It would be easy enough to do. But then again, it is easy enough to stop too, the problem is, it is the SysAdmins that would have to implement the blocks, and I guess most of them are not motivated? At a recent place I worked, pen drives were locked away, issued only for special jobs, and had to be returned at the end of the day. Unencrypted non registered pendrives did not work on the system. Seems quite safe to me :-) http://www.theregister.co.uk/Design/graphics/icons/comment/angel_32.png

  6. knarf
    Angel

    Project Treadstone ???

    No Project Treadstone as yet then, pity some super soldiers would have made my Friday/

  7. John Smith 19 Gold badge
    WTF?

    "“Systems administrators.." "..low level, typically have the highest access to systems and data,"

    Manage the data sure.

    Read the data. Why?

    And thumb drives? I thought the NSA had a "Body cavity searches will continue to be conducted at random until further notice" policy.

    1. Peter Gathercole Silver badge

      Re: “Systems administrators.." "..low level, typically have the highest access to systems and data"

      Many organisations ban removable writeable media unless the need is justified. There are almost always cases where it's just too difficult to do certain jobs without removable media.

      If the sysadmins can make a reasonable case for it, it is likely that it will be allowed, albeit with some additional controls (encrypt the data, use traceable drives etc).

      These controls are mainly there to make sure that there is no inadvertent loss of data, or if it is lost, that it can be traced to the careless person. It does not really stop such a device being deliberately used to remove data. To achieve this, you really need to physically disable drives and ports (epoxy glue or break them), have locked PC cases, and make it mandatory that two people are involved with any process that adds or removes hardware. I have a very nice microSD USB card reader, and I'm sure I could hide a 32GB microSD card about my person so that it would not be found except by a really intrusive search.

      Completely disabling USB is difficult, as you would also have to deal with the ports being used for your keyboard and mouse. It can be done in a driver by whitelisted USB manufacturer and identity lists, but even this is vulnerable to a sysadmin with the correct degree of privilege.

      I'm surprised that he didn't trigger alarms, though. The financial world often seems to have better controls than defence and security related organisations, and when I worked as a UNIX sysadmin in a UK bank, I was always aware that there were people metaphorically looking over my shoulder watching what I was doing (there was no direct root access on production systems, everything was done using a tools like Unix Privilege Manager, which logs the input and output of any command securely off the system). Was a pain in the neck to use, but was effective. Even so, it was possible to disguise what was being done, and take sessions out-of-band of the controls, if you knew enough about what you were doing. And at some point, someone has to know the root password.

      1. Ken Hagan Gold badge

        Re: “Systems administrators.." "..low level, typically have the highest access to systems and data"

        "Many organisations ban removable writeable media unless the need is justified."

        They may claim to, but these days even a mobile phone could easily be a removable writable medium. Now, I'm sure there are some organisations out there who realise this and ban personal phones in some parts of the workplace, but I doubt there are "many".

        1. Anonymous Coward
          Anonymous Coward

          Re: “Systems administrators.." "..low level, typically have the highest access to systems and data"

          "Now, I'm sure there are some organisations out there who realise this and ban personal phones in some parts of the workplace"

          Have a distant relative-in-law who is a network admin for a government contractor. According to him, they ban cell phones at work due to security concerns. I was under the impression that in his case, the parking lot is the only acceptable place he can have his cell phone.

      2. P. Lee Silver badge

        Re: “Systems administrators.." "..low level, typically have the highest access to systems and data"

        The easiest way is to encrypt all media file systems. The USB file system is then useless when plugged into a different computer. That's easier to do than squeeze glue into all the usb ports.

        The key logger is probably not helpful. It wold be easy to cut and paste text from other sources into something which is executed by an interpreter - e.g. a perl script to open two network ports on the local machine and then pass data between them and out to a file.

        I have to agree with earlier posts - files with secret things should not be decryptable by admins with access to those file systems.

  8. JimmyPage
    FAIL

    No security system should have a single point of failure

    Which is what has happened here. Someone who had access to the data *also* had access to the means to smuggle it out.

    On another thread, I commented that IT admins should not be able to read the data under their control. I've seen it done with Windows ... (I apologise for vagueness, I am not a SysAdmin) it involved creating a folder with an account which was then deleted, having given access to the management, and denied to the administrator. So they could not look inside the folder, (nor take ownership).

    1. Joe Montana
      FAIL

      Re: No security system should have a single point of failure

      You can't make any files unreadable by the admin users...

      The admin can extract the password hashes of all users, and the plain text passwords of logged in users at any time from a windows host.

      Even if the permissions explicitly prevent the admin user from reading or taking ownership of the file, you can always pass the hash into another user, or elevate to system/backup users (if the backup user cannot read the data then the data won't get backed up - not a good state of affairs). There are several other things you could do too.

      The problem is people who don't think outside the box, thinking that something as trivial as file permissions will stop someone with admin privileges is ridiculous. Hackers do think outside the box, and realise that most of the published security features, especially on windows, are fundamentally broken in one way or another.

      Unix also cannot stop an admin user from accessing any data on the system, but it doesn't try to pretend otherwise. And it is this pretence which gives users a false sense of security, and causes them to implement half assed measures that anyone remotely competent can bypass instead of accepting the inherent risk and working out other ways to mitigate it.

      It's much better to have a known risk which you fully understand, vs a risk you are unaware of because you think you fixed it and don't realise that your fix is fundamentally broken.

    2. Anonymous Coward
      Anonymous Coward

      Re: No security system should have a single point of failure

      The short answer is that the data should be in proper databases, where the permissions can be set so that admins can backup and restore, copy, but not run queries. Access to the database should also be controlled by airgapped credentials.

      If banks can do it for ordinary business customers, so should security agencies.

  9. Fehu
    Pint

    Security?!?! We don need no stinging security!!!

    So, basically, all our efforts at securing our networks will be foiled because some PHB must get pictures of his pets on his windoze desktop. These are indeed interesting times.

    1. Anonymous Coward
      Anonymous Coward

      Re: Security?!?! We don need no stinging security!!!

      This is hardly a Windows/Linux issue, you can access USB drives on both and lock them down on both. It's a competence/incompetence issue and incompetence is OS intendant.

      1. Anonymous Coward
        Anonymous Coward

        Re: Security?!?! We don need no stinging security!!!

        OS independent, that should have been, bloody spellcheck...

        1. Fehu

          Re: Security?!?! We don need no stinging security!!!

          Not meaning to slam windoze in particular, but it's more of an authority problem. We know what needs to be done to make systems secure and yet many times the people that know are overruled by someone higher up for some inane reason. Perhaps, it would be more correct to say that it's a "human nature" problem. Assuming no one will take advantage of a weakness you've introduced into your network is insane, but it is also very common.

          1. Don Jefe

            Re: Security?!?! We don need no stinging security!!!

            You make a good point about people taking advantage of a weakness.

            Throughout this whole debacle the NSA has chanted there are security measures in place to keep the wrong people from being spied upon but in interviews with govt shills it has turned out all those safeguards are the Humans at the controls. There are no real system controlled security measures in place and as you point out, everyone knows that people will take advantage of something if they think they can. It isn't they can't do something but they aren't supposed to do it.

    2. phuzz Silver badge
      Facepalm

      Re: Security?!?! We don need no stinging security!!!

      Why bother with doing it at a software level? Just go round and glue up all the usb ports with a hot glue gun, that's 90% of the risk gone right there.

      1. This post has been deleted by its author

  10. Don Jefe
    WTF?

    Questionable?

    About a decade ago I was involved in some research at a National Laboratory here in the States. Part of their system security was the recognition of foreign devices. If you put any unauthorized device in a USB port or connected a foreign device to the network, the user got a visit from security about 1.2 mins later and the device was confiscated. I was issued an authenticated and encrypted device after that.

    If this technology was available and being used 10+ years ago at high security facilities I do not understand why the NSA of all people wasn't using it. Even though it was through a contractor I don't understand why something similar wasn't implemented.

  11. Duncan Macdonald Silver badge

    Backups or boot disks

    In most sites Admins are responsible for ensuring that backups are performed. They also often have access to these backups (as they would need them if a restore is needed). Unless the backups are secured with encryption that the admin does not have the key to decipher, they will have access to the data.

    There also has to be a way of reloading the OS if the system gets corrupted - either an optical drive or a USB stick (or possibly but less common - a network download). Neither Linux boot disks nor Linux boot USB sticks honor Windows file security and if either is used to boot the machine holding the secret data then it can be copied if it is not encrypted.

  12. Senior Ugli

    I would rather be forced to read the documents on that CD, than have a lady gaga CD

  13. Destroy All Monsters Silver badge
    Big Brother

    Roger Roger!

    The chairman of the US House of Representative's select intelligence committee Mike Rogers (R-Michigan) said Snowden “attempted to go places that he was not authorised to go”

    Yes, Mr Representative. He also attempted to go to places where arsefiends like you didn't even want to go.

    Would it be you that called for the execution of Bradley Manning? And who claims to personally oversee every single GWOT airstrike and who is shilling for Israel in his spare time? F*cker.

  14. Anonymous Coward
    Anonymous Coward

    Security

    Has everyone forgotten General David Petraeus?

    http://en.wikipedia.org/wiki/David_Petraeus

    If the director of the CIA gets caught having an affair by using a weird e-mail scheme, what would lead anyone to believe that the underlings would be any better?

    Also, one has to remember "Quis custodiet ipsos custodes", which, loosely translates to "Who will keep the keepers themselves". It is impossible for everyone to be watched all the time. At some point, employees have to be trusted. About the best that can be done is to carefully screen those employees, and then very carefully ensure that they don't become disgruntled due to management doing something really stupid (which is a point which virtually all government organizations and companies fail to realize!). There is no greater asset than a trusted employee, nor anything quite as dangerous as a disgruntled employee.

    As for physical security, that is mostly a joke, with a couple of exceptions (most of which are obscenely expensive). Sure, a bank/government quality safe is pretty secure. Mostly. Although quite a few safecrackers have busted those. The lock on a typical office desk is a joke. I regularly (e.g., twice a day or more!) used to pick the lock on my office desk (because the silly office administration people had lost the key to the office desk I was assigned, so I simply decided that I'd pick the lock with a suitable key-pick). I've even picked desk locks with a paperclip (about 10 minutes the first time, although I got it down to about two minutes with a bit of practice!). I'd even pick the desk locks for cow-orkers (but, only with their permission, and with them present). Door locks were a bit harder, but could still be picked (and, without leaving any evidence, if you were careful).

    PC case locks? Don't make me laugh. And, once you have access to the inside of the system, well, anything can be accomplished (I've even hacked mainframe computers in that manner!).

    Oh, don't worry, y'all. I'm a white-hat hacker who works for an international organization as a cryptographer. :-)

    Just call me "The Pirate." (And, yes, I really do wear an eye patch!)

    1. Anonymous Coward
      Anonymous Coward

      Re: Security

      There is no reason to entrust employees and it should be built into the OS that you cannot write files to an external drive and top secret fiels cannot be copied at all even to cache them.

      If the employee wants to take screen shots or notes then deal with that as you would then walking out with half a server rack on a trolley, the level of security in the US government is best described by the fact many heads of those teams in control use hotmail or aol.com accounts to forward classified information and arrange meetings and secure laptop pickups.

      The whole thing is a joke I can't even blame the Chinese for hacking them it's just too tempting.

  15. Sampler

    Why not 2?

    Let's face it, for the cost, why don't they have two guys, one does the job, the other watches.

    They're rotated on a regular basis to prevent familiarity and prevents one doing something they shouldn't, healthy paranoia on whether the other guy will grass you in will keep the guys in line.

    Or is that a little low tech?

    Plus if you've got two they can work as a soundboard and increase efficiency.

    1. Charles 9 Silver badge

      Re: Why not 2?

      Because if you can subvert ONE person, how much harder would it be to subvert TWO? One does the deed and the other lies to protect him. Plus as noted, how do you watch a watcher? Especially if you can double the watcher watcher?

    2. John R. Macdonald
      Big Brother

      Re: Why not 2?

      The police/security service in some countries work in teams of three. Why three? The reasoning is it is fairly easy for two people to collude but much more difficult with three.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why not 2?

        I thought they worked in threes because -- one knows how to read, one knows how to write, and the third keeps an eye on these two intellectuals

  16. Herby
    Joke

    I'm surprised nobody has mentioned...

    That this guy was almost a prototypical BOFH. He didn't like his boss, used the data he had access to to embarrass his boss, the list goes on. The only thing lacking was a proper PFY.

    So, does Simon work for the NSA??

    I also note that this thread has a VERY high percentage of Anonymous Cowards commenting. Probably coincidence!

  17. Tomato42
    Pint

    They could have prevented it...

    ..it would be enough not to do morally objectionable projects and NSA/CIA wouldn't have to worry about leaks like Manning or Snowden.

    They both did this *only* because they considered the stuff they worked on morally objective, and rightly so!

  18. KBeee Bronze badge
    Trollface

    It Doesn't Matter

    You have to realise, the only security they're concerned with is security of funding. If a USB stick gets them into trouble, then more funding is needed. If there's a Bad Egg on their books then they need more funding. If there's too much info coming in from their spying they need more funding... etc. etc. etc.

  19. OrsonX
    IT Angle

    "thumb drives"

    USB stick, no?

  20. Anonymous Coward
    Anonymous Coward

    Only a small proportion

    so, perhaps, he's smarter than he makes out to be. The rest of the files he mis-aquired, might keep him safe from unfortunate accidents, such as free-falling elevators, malfunctioning brakes, dislodged hammers, faulty electric wires, etc.

    ;)

  21. William Boyle

    Best kept secrets

    The best kept secrets are those hidden in plain sight. Who would think to copy a file named something like "MyKidsBirthday", or "VacationWithSam"?

    1. Anonymous Coward
      Anonymous Coward

      Re: Best kept secrets

      Now I've had to change the names of all my secret files, thanks to you.

    2. Don Jefe

      Re: Best kept secrets

      In a cunning ruse to employ war gaming best practices I have named all my files 'Top Secret Q Only 1-[x], passwords, banking and SSN info'; counting on the fact that my enemies will copy the 'Anniversary Gift Ideas' and '5th Period Science Essay' files in an attempt to out manuver me. Ha!

  22. Anonymous Coward
    Anonymous Coward

    Lots of weird comments here, like all these "they should be using encrypted authorised removable media devices" stuff. Obviously being made by people who can't think beyond their 'user' experience. He was an admin, he could do whatever he wanted with the data, such is the nature of being an admin. Need an authorised encrypted device, get one, or even add your own to the list of authorised devices. Need the encryption key, get it. or create your own and encrypt it with that.

    You cannot stop lone wolves actions, in any field of security work, the best you can hope for is that they make a mistake along the way, and you get to detect them before they complete their act.

  23. sysconfig

    The chairman [...] said Snowden “attempted to go places that he was not authorised to go” on the NSA’s network"

    Funny. The NSA, too, attempted to go places that they were not authorised to go.

  24. Anonymous Coward
    Anonymous Coward

    Who cares

    A whistleblower lets us know that a gubbmint dept is doing major snooping on the populace. El Reg's commentard communities reaction is 'How To Secure Your System'.

    Sorry people, some things are just wrong.

    1. Birdulon

      Re: El Reg's commentard communities reaction is 'How To Secure Your System'.

      There's enough articles on the ethics of PRISM, even on this site alone. If you had read this article you'd note that it's on the method the whistleblower used to smuggle out sensitive data, so of course the bloody comments are going to be about that. If you want to find commentard backlash against PRISM you don't need to look far at all, but it all gets samey after a while.

  25. ThePhantom

    The solution is so clear...

    SPYRUS has been making secure USB flash drives for years, and they are always exhibiting at government shows. Not only is the drive encrypted, but it can be locked down to a specific computer or set of computers - and remotely wiped if if manages to sneak out the door. WTF is any government agency or organization thinking when they let unencrypted, uncontrolled USB flash drives on the premises?

    1. Paul Hovnanian Silver badge

      Re: The solution is so clear...

      Its not the USB drive. Its the (Windows) USB port drivers. The object is not to encrypt data on a USB drive allowed into the facility. Its to keep someone from bringing their own device in and copying stuff.

      Someone with admin access to a box and some know how can swap out the 'secure only' drivers with Windows defaults, copy data out and put the custom DLLs back.

      Its possible to build security into the hardware or firmware. But the problems and costs of custom h/w and retiring old systems have already been discussed.

  26. Anonymous Coward
    Anonymous Coward

    Any security PLAN or just react to the latest incident?

    Why have open USB ports? Why allow access beyond what Snowden needed for the task? Why let an NSA with 4 computers fly to HK? Look how hard it was for Chongqing's police chief Wang Li Jun to get to the US Consulate, the people chasing him had tanks!

    1. Anonymous Coward
      Anonymous Coward

      Re: Any security PLAN or just react to the latest incident?

      Because in a society where the security services are acting in the best interests of the people, within moral and ethical boundaries, those who work for the security services should be able to be trusted and to understand the importance of the field of endevour they are involved in.

      The problem here is one where the organisational activities one of those people was being expected to be involed in, was something he felt was morally and ethically unjustifiable and wrong.

      And now the question he answered with "this is completely wrong" is yours and everyone elses to judge.

      I think there are some American politicians who need to look at what has been released, ande reign themselves in, all we have so far is information about 'secret programs'. A very high level overview of capabilities and how they're being used.

      Screaming "Traitor" at a man who merely made information that such programs and capabilities exist and are in use, seems oddly counter productive when you all know damned well he must have had access to far more sensitive stuff than has been released.

      Unless of course you're trying to make his point for him about how you're all unreasonable (totalitarian type) bastards who will go to any lengths to maintain your control over everything.

      1. Don Jefe
        Alert

        Re: Any security PLAN or just react to the latest incident?

        In a position of trust or not the users are just that, users. About 1.75M El Reg readers will agree that you never trust the user. Either from malice or excess of stupid the user is 100% guaranteed to fuck things up. A lot of IT professionals would not have jobs if the user could be trusted.

        As far as a plan goes, the solution is inevitably going to be so convoluted that nothing will ever be able to work again. The wheels of bureaucracy will see to that.

  27. Anonymous Coward
    Anonymous Coward

    Simple solution

    Do what I was going to do a while back and make a completely unique non-powered USB variant using a standard headphone connector with a "challenge response" via a series of laser cut analogue resistors and a 4066 keyed to a secure micro soldered to the motherboard and Epoxied with ceramics to foil grinding.

    This has the advantage that no devices other than the keyed, secured devices can be used and buffer overflow/timing attack protection can be hard wired into the micro.

    Without the three factor authentication it fails safe and refuses to work again until the machine is power cycled and a code key is entered.

    Other advantages, the same device can be used as a headphone/mic port as it won't even enable the USB until it "sees" the correct response.

    Also the device(s) can if needed be remote charged using the headphone function, so any old standard keyboard/mouse/etc can be used but not a pendrive.

    Simplez.

    AC-DC x520

    1. Charles 9 Silver badge

      Re: Simple solution

      Does your ceramic-embedded epoxy block also defeat acid etching and decapping? Is your system sensitive enough to detect a sniffer listening in via, say, an audio Y cable or some kind of inline reader? Just curious to see how thorough your solution is to physical, side-channel, and in-the-middle attacks.

  28. Anonymous Coward
    Anonymous Coward

    Data security

    This doesn't necessarily mean other DOD entities have the same issue. Information security departments are unique to the entity and some much more thorough than others including level of security knowledge or certifications of those engineers. Security implementation guides are published by the US Government for all types of operating systems and applications and deal with everything mentioned in these comments. Those security findings are mandated and the systems should be scanned before being activated on the production network. However, this single leakage has uncovered three disturbing issues.

    1 - We're all capable of being tracked much easier than previously thought.

    2 - Our personal data is not safe at the NSA because systems and possibly other classified data are not secured properly.

    3 - Major technology companies could be secretively giving away our personal information without knowledge of any other officer of the same company.

  29. Anonymous Coward
    Anonymous Coward

    With any luck...

    ...Snowden will experience a very painful punishment for his crimes.

  30. Anonymous Coward
    Anonymous Coward

    Gizmo?

    You stuck in the 80's? This title is almost as bad as PuffHost's.

    1. Don Jefe
      Happy

      Re: Gizmo?

      As opposed to widget or whatsit or thingamajig? What would your preference have been?

  31. Anonymous Coward
    Anonymous Coward

    All this cunning software stuff...has nobody thought of just unscrewing the HDD and saying "it's broke" to the IT guy? You have a head start. Replace it with a similar looking one and you have more time to escape. Clone the disk and it'll probably never be detected (although that would need a power supply feeding into the back of a drawer or similar).

    None of you guys will ever be James Bond. I won't be either because I fucking hate being shot at.

  32. Anonymous Coward
    Anonymous Coward

    Re. RE. Gizmo

    Yeah, I've heard of this.

    Unfortunately, though banks and other QGO's seem to be oblivious to the good old "Hi we are xxx computer company here to fix that desktop" scam.

    I've heard of fake vans AND uniforms being made for this before, plus its relatively easy to duplicate number plates etc with some kludge-fu for the "mission impossible" (tm) scenario.

    I did a little experiment a while ago, went to a randomly selected company with a clean and tidy suit, convincing story and a toolbox. Eejits let me into a secure area without even an ID card before someone bothered to check on me :-) (company deleted for reasons of national security)

    It sucks for the poor graduate drones who now can't even get an interview at (deleted) etc without four references and copies of their extended, vetted AND cross-checked-by-expen$ive-third-party-company "employment agency" who charges $900 just to get the company to reply to your letters at all.

    Rumour has it that a school in the UK got all their computers taken because some blokes in a van showed up to "upgrade" them. Turns out that the upgraded machines were nice shiny and clean 486's with really cheap monitors. Facepalm.

    1. Vic

      Re: Re. RE. Gizmo

      > the good old "Hi we are xxx computer company here to fix that desktop" scam.

      Many years ago, I worked in field service for a Health Authority.

      I went to a site one afternoon to replace a failed terminal[1]. The manager was apoplectic and demanded ID.

      "I don't carry any", I told him truthfully.

      "Well I'm not going to give you access to our equipment" he retorted.

      "Suit yourself", says I, "it's your terminal that's broken. I'll just take this new one back to the depot".

      At which point, he suddenly changed his mind and gave me all the access I needed...

      Vic.

      [1] Yes, it was a terminal, not a PC. The network was a serial net running on statistical multiplexers, with all the end-user kit appearing to connect to the mainframe over a simple serial link. It was a long time ago...

  33. Anonymous Coward
    Anonymous Coward

    Re. RE. Simple solution

    Yeah, it would need some sort of impedance detector or compensation for drift etc.

    Perhaps a swept audio pulse from the special software and hardware to listen in for connected devices,

    if the signature doesen't match no workie.

    Also very effective against muppets who bring in their headphones from home to listen to muzak during work time, put clear warning labels on the machine to deter the hungry, hungry lawyerbots.

    Universities and schools would like this, it stops people bringing in their virus laden pendrives from home and if they must copy files to CD-R they go through the proper procedure.

    Issue all the students with their own password locked "pen" drive and if they lose it, the passkey can be nuked so no-one else can recover the content even if they plug it in elsewhere.

    Source:- The Home Security Handbook :-)

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021