All of the comments taking umbrage that the article isn't celebrating Snowden's character are missing the point. While it is entirely possible that he was qualified or even overqualified for the position he had at Booz Allen Hamilton, nothing in his resume suggests that which raises the question who else has access to sensitive data and secrets? The answer could be that Snowden was an exceptional individual and that's how he got to where he was, but it could also be that the government is terrible at hiring and granting security clearance and there are a lot of terrible individuals with access to secrets & sensitive data and Snowden just happened to be a standout.
The security clearance process basically looks for reasonable, honest Americans free of foreign influence.
If government actors are abusing their power to such an extent that reasonable, honest Americans free of foreign influence feel morally obligated to blow the whistle, then there are going to be more leaks.
It's not a flaw in the system; It's a safeguard against corruption and abuse of the system.
That's not what is being discussed here. What is being discussed is the leaker doesn't appear to be a standout individual. He isn't the top of his field. He doesn't have numerous advanced degrees. So on and so forth. He is "garden variety". So, given that, if a "garden variety employee" can get access to all this data, just how many ordinary Joes have access to it? The more people, particularly those low on the totem pole, the more opportunity for leaks to the wrong people.
* The security clearance process basically looks for reasonable, honest Americans free of foreign influence.*
That might be enough for domestic intelligence, but it's really shooting yourself in the foot if you apply "free of foreign influence" to overseas intelligence operatives. (Because you'll never be able to recruit anyone whose exposure to the target culture is significantly deeper than a semester attending a foreign university ...)
As I understand it security clearance screening is done by blacklisting, not whitelisting.
That's what would make sense for a nation with due process, but it does lead to increased risk of leaks from people with no obvious red flags that come up during the background check or in-person interviews.
Even "better", there are things which are highly correlated with "likely to be a security problem" which are NOT allowed to be included, or which get adjudicated away.
Generally IMO the security clearance process is not up to the task in a world with more than one threat. It worked ok against USSR when we largely could use full spectrum of information AND could assume most people without black marks were anti-USSR (due to existential threat from nuclear weapons and essentially an undeclared state of war).
Doesn't work so well now when 1) IC really had no mission in the 1990s and 2) IC today is grossly oversized and overresourced for the anti-Islamism mission. The "anti-China, anti-Russia" stuff is much more like a real peacetime intelligence service, i.e. the <<500 people we had before WW2.
Yeah, though I can't give specifics we had an admin issue where I worked that got briefed to the level of a "Presidental appointee confirmed by the Senate" that was related to screening requirements (or rather, the lack thereof).
I'm assuming both criminal/terrorist organizations (well, and hacker groups, etc.) and tech startups actually surpass USG for a lot of personnel screening, mainly because they're small. If you only hire people you've personally known for a long time, that goes a long way. Hiring 20 trusted people is a lot easier than hiring 20k.
(Obviously USG does a better job in certain areas; generally I'd say most military facilities do a decent job on most physical security.)
There are different levels. Up to a point they take everything you declare as true in conjunction with some basic checks. At the highest levels they assume everything you say is false, until investigated and proven true.
I still think the article makes a good point though, you just don't know who the hell has access to your data unless you keep it on your own servers or host the data in a country with extremely transparent privacy and law enforcement governance.
I don't think Slate is trying to crucify Edward Snowden. I think it was more "If a high school dropout with basic computer skills can win this contract, imagine what a talented hacker with malicious intentions could do", and just happened to attack Snowden a bit too much.
Which is rather humorous considering how articulate he was in the video of him being interviewed by Glenn Greenwald. You can tell immediately he's not your stereotypical drop out.
The author is full of stupid snark. Clearly Snowden is an exceptional individual; learning that he used to be a janitor, or whatever, shouldn't cause us to throw away all the evidence we have about him and double-take "they promoted a janitor?".
Perhaps the quality of his work matched his obviously high character, regardless of his initial lack of formal credential. This is IT we're talking about - classes are a joke.
This was the revulsion I felt as I read this as well. I used to be a truck driver. I am no longer a truck driver. Absolutely nothing about where I was says anything about who I am, how qualified I am to be who I am, nor where I am going. Lets not forget a previous owner of Slate, MSN...founded by the richest college dropout in the world.
The janitor making good, solving the famous math conjecture on the blackboard, is a Hollywood trope. Not sure why Slate is so adamant that the guy's story is a disqualifier.
We don't know his story yet but this much is certain: he is by definition an exceptional individual.
It's not only a Good Will Hunting trope, but has a very relevant, very current real-life example that came to light a few weeks ago.
Tom Zhang, who now teaches at the University of New Hampshire, recently published a proof of the mathematically-famous twin prime conjecture for certain prime number pairs.
For quite some time, Zhang couldn't find work as a mathematician, and during that period, he worked as a Subway fast-food restaurant worker.
I believe I understand the point that Manjoo is making in his article, but both his choice of example, and the specific derogatory language he uses to express his reaction, makes it seem to me that he has some specific ax to grind about the nature of technical credentials and their social cachet.
Most Americans probably worked some minimum wage job at a food or retail establishment too as their first job too. I don't know where the shock comes from.
So now lack of a degree means you cannot be trusted with sensitive data - wtf?
I understand the guy is emphasizing these things to make his point but still, wtf.
What about his morals? What about his courage? I would most definitely trust my data to a guy that was and is prepared to go to jail for his beliefs that my data should be treated with respect and within the law.
A lot. But first they have to go through extremely invasive and intense background checks that in some cases take years to complete. It all depends on the agency and the role. Some are "Public Trust" which is the barely-above civilian clearance which takes less than a month. On the other end of the spectrum are your top-secret clearances which take months to years to complete. If I had to place a wager I would bet heavily that he has held a top-secret clearance for a long time. The NSA isn't going to let anybody off the street roam its halls.
I expect this from some news sources such as CNN, but not from Slate and definitely not from Farhad Manjoo.
Why can't we celebrate him for having the moral character to have done the right thing instead of assault his character.
A college dropout that did the right thing by whistleblowing is 1000x better to have in this World than an MIT, Stanford or Harvard graduate who is working at the NSA or CIA being enabling or at least complicit in programs.
I wouldn't be surprised if the #1 criteria for NSA grunt employees is patriotism. If he's prepared to sacrifice everything for his country than he seems to be the perfect candidate to me.
It is for CIA at least. Their tactic is that "we can teach you technical stuff in class after we hire you, we can't teach you patriotism if you already aren't". They like to hire ex-Marines. Someone was saying they also like to hire Mormons.
The kink is that many patriots do actually understand and love the Constitution and if forced to routinely go against it in their line of works, a few will pull a Manning. That is expected. They can't have it both ways.
It's not really that important for the CIA. They're pretty pragmatic, mainly because they have a huge hammer for minor offenses. They also believe in their ability to compartmentalize information.
Most of the time, when you go through the lifestyle clearance rigamarole, they're looking for any leverage someone might be able to use to coerce you to act against the employer's interests. Obviously, anti-government sentiment would be a flag, but you can get clearance by being truthful about the dishonest/illegal/etc. things you have done in the past, despite having done those things. In fact, willingness to disclose is a big trust builder.
It's about managing risk, which is why it's easy for me to believe that Marines and members of the LDS community would be given special consideration.
Indeed.. and this guy will be crucified, for basically doing the right thing.
Such is the projection of American military power that his credit card and bank account will already be locked down, on grounds that he is a 'terrorist', regardless of which country he flees to.
It's perfectly possible for Snowden to have done what he did and still have negative qualities - for example, by going public he's making the entire conversation about him instead of the programs he leaked.
This is total fantasy. The government has and follows an established procedure for dealing with whistleblowers, including anonymous ones they manage to uncover - they'll conduct an investigation, file a complaint, arrest him, and then get an indictment.
More security conscientious setups use things like automatic password vaults requiring multiple admins to access. Sysadmin also doesn't mean defacto data access without forcing them to patch the software maliciously (you don't want your admins accidentally or intentionally accessing data covered under HIPAA!)
Which isn't to say you're incorrect when you say how much damage a junior sysadmin could do in most places. It is to say that there are options that make this kind of thing a lot harder, to limit the scope and damage rogue admins can cause, and to raise the bar in terms of knowledge required. One would hope the NSA would be employing some of them.
One might hope the NSA audits their contractors' security, but I'm not sure I'd bet on it.
And somewhere along the way you have to accept that your most senior admins aren't always going to be the ones schlepping gear around, which means physical access.
I'm also not entirely convinced of the practicality of building a system where there isn't at least one person who can bypass everything, especially if they're prepared to go into exile as this guy was.
Given adequate resources, I'm sure it's possible, but there's gonna be a shitton of money and ridiculously careful planning involved. I expect the operational overhead to be similarly huge.
I'm pretty sure if you were involved with terrorist groups, you became aware of this sort of thing well before it made the front page of the New York Times. The idea that keeping it out of the press prevents the targets from knowing is naive.
No one is (or should be) saying that the operational aspects can't be kept secret. The problem with this system is not secrecy in operation, but the lack of warrants before the fact and the lack of accountability after the fact.
Imagine such a system in the hands of your least favorite politician and/or party. If you're OK with that, then by all means, carry on. Some of us aren't.
Well, there are warrants. Even the Verizon records things was in response to a warrant. There's accountability as well, but we can't see it.
What I am concerned about is the transparency of the arrangement overall. But if NSA said "Hey Guys, we're monitoring Facebook and G+, don't use those if you don't want us to be able to intercept with a warrant!" then that would defeat the purpose of the system entirely. So it's a difficult issue.
I will say that I would feel better if I knew what legal & policy systems they were using to ensure accountability. But honestly we know in general what needs to be done to keep dangerous systems like these used safely, I don't think that's actually the problem. We've kept nuclear weapons and bio-weapons safe, after all. But I would feel better if I knew that NSA had those kinds of onerous formal controls on when systems like PRISM were used.
It seems unlikely Snowden was in a high-paid and important position without having demonstrated some kind of aptitude. I have the impression he was highly skilled.
He comes off as a fairly intelligent person in the interview.
The tech community should be the most understanding when it comes to overlooked people who kick ass on the job. Too many tech companies today are focusing on university names, this isn't the way it always was.
Is being nice to Edward Snowden considered aiding a terrorist? The NSA probably just fired off a warrant for the rest of my communications.
Not a big fan of the reasons we are supposedly not supposed to trust Snowden specifically, but the question remains a powerful one in the sense that if you can't ensure that the data and systems you're using for something this powerful can remain secure from the actions of any single person, then you have a huge problem.
I've worked at companies where the secrets behind our app signing key are held to a higher standard than being entrusted to the care of any single entity. Even ignoring how you feel about whether the PRISM system is good or bad, shouldn't we expect the NSA to have better security policies, given the huge scope of abuse these systems could allow?
I didn't get the impression that Snowden actually has access to PRISM itself. If all he's doing is IT support then it could be as simple as that he ran across the "management briefing" for it on the share drive without ever having access to the system itself. Certainly I would hope that NSA is not dumb enough to farm out credentialing for a system like PRISM to one of their contractors, but who knows?
> He was accorded the NSA’s top security clearance, which allowed him to see and to download the agency’s most sensitive documents.
Document control works on two dimensions: clearance level and need to know. You need to both have the requisite clearance level and a need to know to be approved for access to a given document. Having a top clearance doesn't mean you get to freely look at whatever you want, although the press and general public seems to think it does.
I believe the UK is heading in this direction as well. Thatcher started it, but it's really gone up a few notches since then.
It's a sorry state of affairs when the schools, the fire service, the police, the prisons, the hospitals, the soldiers of war, and even the spies are all controlled by for-profit corporations.
There's a reason that over 900,000 security clearances are processed every year. The "defense" contracting industry is booming.
FYI, CISPA is specifically for an NSA program intended to expand collection and give immunity to everyone. The lobbying for it as well as the politicans who proposed it, are heavily funded by these defense contractors.
This is a big part of the problem, the massive .mil budgets go to commercial contractors, who in turn support party candidates by donation. Its an incestuous positive feedback loop.
employees of BAH and other companies like them run the day to day operations of a very significant portion of the government and have for quite some time.
But...but they're helping us secure our home networks!
"The Information Assurance Directorate (IAD) at NSA recently released a new technical guide entitled Best Practices for Securing a Home Network." - http://www.nsa.gov/ia/index.shtml
The very fact that Edward has the integrity to risk his life in the name of public interest means that he's exactly the kind of person the NSA should be trusting with our data. It's probably his combination of integrity and competence that let him get the access he did in the first place.
In my university, we had a computer security program where computer scientists were heavily recruited to work for the DoD for a few years in exchange for a scholarship. One of the students I knew who ended up at the NSA was a standout, but the many others I knew were of average intellect and in many cases were below average computer scientists. These are not the level of people you want involved in mass surveillance programs.
What matters most to the NSA is your ability to pass a polygraph - not your engineering skills.
It seems like hiring someone who isn't a tech genius (assuming Snowden isn't one, but it doesn't matter) is exactly what the NSA should want, the less technically advanced their employees, the less likely they are to be aware of the wrongness of what they are doing, especially if they are given simple tools that do all the work for them and mask the technical guts behind a point and click interface that "anyone" can operate.
Please. This is not about can we trust them because someone leaked, any civic-minded person would have done what he did if they had big enough balls. Are we trying to say that out of the thousands of employees the NSA has no one else but this one guy felt there was something wrong with this program?
Obviously slate.com's journalist doesn't understand how most of Silicon Valley works with recruiting these days and those "top companies" contributing to PRISM's dataset.