Terminology and connotations

The documents were taken from at least 24 supersecret compartments that stored them on computers, each of which required a password that a perpetrator had to steal or borrow, or forge an encryption key to bypass.

Once Mr. Snowden breached security at the Hawaii facility, in mid-April of 2013, he planted robotic programs called "spiders" to "scrape" specifically targeted documents.

This excerpt from Edward Jay Epstein's WSJ article sounds awfully sinister and, well, advanced. Not just compartments, but supersecret, Houdini-defying compartments! Except that "supersecret" just means "above secret"– top secret — and "compartments" aren't physical devices but logical, taxonomic infosec categories.

But robotic programs, of all things… in fact, robotic spiders! Oh, wait. He's talking about mundane bulk copy utilities and scrapers. Nevermind.

However one feels about Snowden's ideological self-presentation and whatever case can be made that he was/is under the control of foreign intelligence entities and using whistleblowing as a cover, I don't think this sort of rhetorical obfuscation is appropriate. The strength of a case should depend on its substance and validity, not on frosting applied through orc mischief or ignorance.

Last 5 posts by David Byron

Comments

  1. jdgalt says

    I don't think what Snowden was doing was all that sinister, either. But as someone who has worked both in programming and on military projects, this is all jargon that anybody with basic familiarity with either field would know. It doesn't sound to me like it was written to obfuscate.

    (I'll resist the temptation to say something snide about lawyer jargon.)

  2. says

    @jdgalt, My point is that Epstein isn't writing for an audience of military contractors who program, but for a general audience consisting of folks perhaps more easily impressed by highly connotative language denoting stuff they don't understand.

    Note: his argument is that Snowden didn't merely copy, but targeted certain kinds of docs in sensitive, hard to reach locations and harvested them using technologies and practices far beyond the ken of your average sysadmin, and Epstein uses this sort of language to strengthen that point– a use it can only serve when aimed at people who don't know better.

  3. Zack says

    I've been amused by this kind of description of the "mechanisms" used as well. Best I can figure, he was authorized to have physical access to the machine, and had valid user credentials (whether his own or those socially engineered from his coworkers) to the systems from which the documents were retrieved. People get excited because they imagine advanced security features and some kind of hollywood hacking montage – but at the end of the day, if you have physical access to a terminal and are authorized to connect to the system in question, retrieving information from that system is, by design, trivial.

  4. stavro375 says

    "whatever case can be made that he was/is under the control of foreign intelligence entities and using whistleblowing as a cover…"
    Oh? I haven't heard about this. Isn't whistleblowing the worst possible "cover story" for a double agent?

    I believe it was Conor Friedersdorf who first pointed out that in our world, Snowden gave his data to a Brazilian and fled to China… there was very little preventing him from simply giving his data to the Chinese and fleeing to Brazil. In a way he's performed a great service for US national security interests.

  5. says

    Oh? I haven't heard about this. Isn't whistleblowing the worst possible "cover story" for a double agent?

    Unless it's not! Mwahahahawhattheywantyoutothinkiocaneetc….

  6. Kratoklastes says

    " The documents were taken from at least 24 supersecret compartments encrypted directories that stored them on computers, each of which required a password that a perpetrator an employee or contractor had to steal or borrow, or forge be issued an encryption key to bypass access.

    Once Mr. Snowden breached security logged into his workstation at the Hawaii facility using his NSA-provided credentials, in mid-April of 2013, he planted robotic programs called "spiders" to "scrape" specifically targeted documents ran a set of scripts that transferred files to external media."

    There… fixed it.

    Not for nothin', but if Snowden ahd been transferring the files to "a certain country in the Middle East", Epstein would have been totally cool with it (see: Jonathan Pollard).

  7. Deniable Sources says

    Also from the article:

    Contrary to Mr. Snowden's account, the document he stole about the NSA's domestic surveillance couldn't have been part of any whistleblowing plan when he transferred to Booz Allen Hamilton in March of 2013. Why? Among other reasons, because the order he took was only issued by the FISA court on April 26, 2013.

    Which, unfortunately, completely ignores the fact that this kind of order had been issued and routinely renewed for several years prior to Snowden's arrival with Booz. He indeed grabbed the latest order, but there had been plenty of them for years, and Snowden claims (at least somewhat credibly) to have been motivated in part by these specific issues. The "aha! I found an inconsistency" nature of the paragraph clashes quite nicely with the fact that it stitches together facts that are irrelevant to each other.

    I believe that this is currently what passes for "reporting" on the anti-Snowden side of the ledger these days.

  8. DaveK says

    The suggestion that this was an espionage operation by Snowden is beyond ludicrous: it's incoherent. Look, the most basic rule of Espionage 101 is that if you've compromised your opponent's methods, YOU DO NOT TELL THEM THAT YOU'VE DONE SO. If the Russians or Chinese had been running Snowden, in order to find out what the NSA was doing, the last thing they'd want would be for the NSA to know that their methods and channels were revealed, because then the NSA could change what it was doing, and all that carefully stolen information would be useless. They would have got him to bring them all those documents and then helped him disappear into quiet obscurity while they made use of what they had learned to feed the NSA misinformation and keep their real information secret from it. Remember WWII, when (Pearl Harbour conspiracy theories quite aside) we had to permit numerous attacks to go ahead in order that the Axis powers would not realise we had broken their encryption? The same applies here. The idea that the Russians or Chinese would have wanted all this public disclosure is insane: it doesn't make any sense even as a cover story. NSA would never have known what had happened if Snowden hadn't disclosed it all to the media.

  9. Stephen H says

    Sounds like the WSJ has been doing some brilliant research talking to the NSA and printing its press release unchanged.

    Sort of like a novel I encountered on Amazon recently by some guy by the name of Edward Lucas, that figures since Snowden is stuck in Russia he must be a Russian spy. It's like these guys add one and one and end up with 57. They don't seem to understand the idea of evidence. There is no possible way to explain this garbage other than "poorly imagined conspiracy theory" that happens to fit nicely with the story the NSA wants told. Which in turn leads one to wonder whose back is being scratched.

    In the meantime the authors ignore all the illegalities committed by the NSA, focussing solely on their pet theory (or the theory they're being paid to espouse). And they ask "why didn't he come back to the US if he's a whistleblower?" Of course, Chelsea Manning could answer that question quite easily.

    I wasn't actually going to read the WSJ article because of their paywall, but then remembered that searching on Google will generally get you straight in past the paywall – suggesting that Mr Epstein's publicly revealed employer*, at least, knows nothing about security. One wonders why he doesn't apply his obvious IT security "expertise" to rescue his employer's finances.

    *Not to imply that he has anyone else paying for his articles.

  10. Garrett says

    Sadly, journalism is a field which is well-populated with people who don't know much about anything except for journalism. Just because the stenographer journalist doesn't know how to do something doesn't mean that it is actually hard. It seems that journalists seem to equate their ignorance with actual difficulty.

  11. GeoffreyK says

    @DaveK:
    Not saying that I endorse the following idea, but was entertained by it nonetheless – perhaps Russia, via the perception that the American government and its constituent parts are answerable to the American populace, chose to have their agent make all of this information public in order to hamstring their competitor, while they themselves get to continue such activities unabated. *Cough*, or not at all, since we all know that Russia's laws would never allow this kind of mass surveillance.

  12. barry says

    The 'Russian spy' story also asks us to forget US efforts to prevent him flying anywhere else from his Moscow stopover.

    They will be forgotten.

  13. albert says

    On a more positive note, Epsteins article is listed as "OPINION", a standard CYA move for publishers. I didn't read the entire article, because paying for this drivel is insane. Besides, I have my own opinion about the case, which is at least as accurate as Epsteins. I'd bet his 'sources' are not named. "Those who know" just doesn't cut it.

    The higher up the food chain jernalists go, the more they mirror those they report on ( or is that 'report to'?)

    Top of the line news-folk get invites to secret societies, one-percenter parties, and their kids go to the same private schools. They know which side of the bread is buttered.

    I gotta go…

  14. Jerry says

    Edward J. Epstein has a distinguished history as an investigative reporter. Some of this books on the Warren commission and the JFK assassination and the self-induced damage in the US intelligence agencies due to James Angleton's witch hunts are classics.

    I can barely recognize the man who wrote these books in this Op Ed piece. It's a restatement of all the claims of the official intelligence agency spokesmen/apologists. They made no sense the first time around, and make no more sense now. There's nothing here that's journalism, much less investigative journalism or scholarship. He's "reporting" as new stuff that his sources have already said publicly – and adding the kinds of "technical details" that make 24 sound "real" to those who know nothing about the technology.

    As @DaveK mentions above, the story, even if you read it in the most generous way, simply makes no sense. Why would a super-spy capable of such incredible technological feats "out" himself, painting a target on his own chest? Why would a foreign intelligence service with such a valuable asset allow the asset to decrease the value of all his work by letting the targets involved know they'd been compromised?

    It's sad to see Epstein, a talented investigator and writer, reduced to writing this kind of junk.

  15. Nicholas Weaver says

    The problem is, plain language, when described to what the NSA does, makes it clear just how dangerous they are. Thus NSA apologists mush obfuscate.

    For example, QUANTUM is a system to "shoot" (their words) exploits at any computer that does an unencrypted fetch past their backbone wiretaps. It is explicitly weaponizing the Internet backbone, and the NSA did it first. They've probably used this to attack and compromise 100k+ computers by this point.

    Oh, and the NSA/GCHQ used this specifically to penetrate Belgacom, so not only is this weaponizing the Internet, but a technique used to target and exploit computers in NATO allied counties, belonging to a telecommunication firm majorly owned by a NATO allied government!

  16. Alex says

    The strength of a case should depend on its substance and validity, not on frosting applied through orc mischief or ignorance.

    You really don't want to get any of that orc mischief frosting on you.

  17. Ron Larson says

    My mom just read "The girl with the dragon tattoo". She called me and asked me if all of the fantastical hacking the woman did in the book are possible. She was deeply impressed, and scared.

    I remembered back to when I read it. The author had sensationalized some basic technology, misunderstood what a firewall does, and just got sillier and sillier when attempting to describe the hacking and defenses in the book. He over complicated some basics, and failed to address large security holes, and plot holes. "Oh well.", I thought. "Just anther Hollywood plot."

    The point is, my mom was impressed because the author had managed to write a book with appears to a lay person a plausible hacking scenario. It sounded scary, and impressive. It was really neither.

    Jay Epstein should switch careers and start writing novels for the Steig Larsson estate. He would be good at it.

  18. says

    while this use is not 100% accurate, i prefer the term "syntactic sugar."

    @adam That's a good term. However, since there's no issue of syntax in play in this context, I prefer the expression "semantic molestra". Or perhaps "connotative exaspartame"….

  19. Joe Blow says

    Epstein is making a mountain out of a gnat turd.

    To a user with typical credentials and access, the separation between data elements in a cloud storage system may seem like impenetrable walls.

    To a super user with root privileges, a system administrator with the authority to view and move that data around, to characterize how it will be handled, gaining access to the data is a trivial matter.

    For what it's worth, the best cloud systems (tested, so far) have roughly twice the serious security vulnerabilities of stand alone servers. It is the price of seeking cost savings by consolidating data storage and application sites and and layers. Not the least of the problems is the ability of system administrators and system policy writers to grant the correct level of access to legitimate users (or credentialed users anyhow like Snowden), and that's before you even get to outsiders trying to hack their way in.

    "Big Data" and the public policy problems surrounding it are going to be a significant issue in the next several years and it's hard enough for laymen to understand without Epstein muddying the water and implying it's an impenetrable magic bunker that only super spies can fathom.

  20. MDZX says

    @Stephen H:

    You know Edward Lucas is the senior editor of The Economist magazine, right? Let that sink in for a minute. Now read all the warmongering they've been doing in the last decade or so should make more sense. He's an old hack Cold Warrior through and through, constantly hyperventilating about Russians.

  21. WhangoTango says

    Cyberhooey is (sadly) nothing new. I remember breathless articles in the 1990s about how Hackers were able to just Cyber Break-In to any computer they wanted. They'd hack into the IRS and steal all your tax refunds! They'd hack into the Pentagon and launch all the nuclear missiles! They'd hack into, um, the CIA, and, um, do stuff! Then they'd hack into your computer and make the monitor blow up in your face as soon as you finish reading this sentenceBOOOOOOM

  22. Allen Garvin says

    The spiders burrowing deep into the secret warrens of our most vital secrets, breeding, scraping out the precious bits from their cubbyholes.

    And even now, Snowden continues to use some kind of vast, world-spanning web to disseminate his insidious proclamations.

  23. Schism says

    Was Snowden intelligent enough to pinpoint and launch an attack against a target he perceived as open? Certainly. Any number of script kiddies have done much the same against any number of other targets, civilian or government. Was he careful to disguise his attack as long as possible to collect as much data as possible? Without doubt. (Most script kiddies would probably have stopped with adding a 72-point bold banner across the NSA's front page, in chartreuse or crimson, reading 'pwned'.) But none of this points to anything other than someone skillful enough to get himself into trouble (yet not quite skilled enough to get out), interested in and capable of collecting information he [legally] shouldn't have, on the grounds of disseminating information which should, ideally, be openly published. It's like Wargames all over again, not Hackers.

    So, yeah. If the media could kindly stop referencing a terrible, yet entertaining movie from 1995 in regards to modern cyberwarfare, and more to the point stop treating Edward Snowden as a terrifying, 'he's going to hack the Gibson!!11' villain rather than a relatively-straightforward grey-hat vigilante, I'd much appreciate it.