Another Snowden Lesson: People Are the Weak Security Link
There's a story that Edward Snowden successfully socially engineered other NSA employees into giving him their passwords.
Posted on November 8, 2013 at 1:06 PM
The response of the standard Mk1 government bureaucrat to this problem will be:
1, passwords will now be a minimum of 100characters and change weekly
2, users will be restricted to only a single document they are authorized to see. Any access to other documents will take 7levels of management approval
3, Users will not be allowed to talk to an other user about anything without written approval, minutes, 7levels of approval and a lawyer present
The result will be a screeching halt of any actual spying by these agencies, while at the same time a massive increase in perceived 'work'.
Victory all around!
@Man in Black - he was a sysadmin.
Your PC doesn't work, the sysadmin needs to fix it, he is standing next to you and asks you for your password.
A bunch of subcontractors are trying to make Server A work with database B and SAN C - they each need to be able to reset one of the other components.
If you work at the sort of place where you wouldn't give the admin the passwd in this circumstance - you probably work somewhere where nothing gets done.
@Man in Black - but remember this wasn't the NSA or any organisation with any sort of command structure.
It was an outsourced contract outfit who got the job because they had the lowest bid, whose employees know that to get the next contract they need to be cheaper next time and who frequently have to work with an ad-hoc arrangement of other contractors.
It's much harder to enforce high levels of security and accountability in these circumstances.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..