In USSR, The NSA Listens To You. In USA, You Listen To The NSA

Joe Doakes from Como Park emails:

Just completed my mandatory annual data security training.  From the module on passwords:

 A password will not include anything that is meaningful to the user, such as a name (either real or fictional), a date (such as family birthdays and anniversaries), telephone numbers, postal codes, car registration numbers and so on.  But DO NOT write down your password or use the “remember password” feature in any Web browser.

 So . . . a password can’t anything to me, but I must remember for 30 days until I change it to a new meaningless phrase that I also can remember, but which does not repeat any password I’ve used in the past.

 Holy crypto, Batman.  Did I get transferred to the NSA without realizing it?

 Joe Doakes

Who knows a government operation better than a government IT department?

It’s a rhetorical question.

25 thoughts on “In USSR, The NSA Listens To You. In USA, You Listen To The NSA

  1. Yea, I have been with several IT services and hardware companies, including one that specialized in IT security. We were forced to change our passwords every 45 days or we would be locked out of our accounts. I can’t tell you how many times I was walking through the office and saw Post It notes containing user names and passwords stuck on monitors.

  2. “saw Post It notes containing user names and passwords stuck on monitors.”
    when the IT guys caught on to that and banned post-it notes, the post-it notes migrated to the back side of keyboards or the inside back cover of the employee manual – they never go away

    In truth the password protocols are largely Security Theater that fails at night when no one but the janitorial staff cleaning offices are around.

  3. kel;
    Right on point with that. Some clever souls in one of my offices, even stuck them to the bottom of their phones, where no one would ever think to look. 😀

  4. I’m old enough to remember when IT’s best and brightest had the whole world on the edge of their seats on December 31, 1999. Then again, those people made a frickin’ fortune off that caper.

  5. Password Theater, to paraphrase kel, is a very good description. It did not take long, once the right people were on the job, to crack “super duper secure we will never help you get into it so suck it iphone 6”. Imagine how “secure” other systems are to a determined hacker. Plenty of white papers were written on the subject and most came to the conclusion that the harder the password protocol is, the easier it is to steal it via non-electronic means. But then it is more about perception you can defend in court than logic and well, security.

  6. JPA, I invoke Weinberg’s Law on the general security of a computer system: If builders built buildings they way computer programmers write programs, the first woodpecker that came along would have destroyed all civilization. (And yes, I’ve done programming and worked with programmers for years, and this Law is the optimistic view.)

    As for passwords, it’s not as if even the BOFH forgets his follow-the-insane-rules password, either

  7. The sad part is not that the Russians hacked the DNC server to learn Hillary’s secret strategy, that’s just ordinary spy tradecraft, same as tapping her private emails.

    The sad part is the Russians could have hacked the Republican National Committee server but didn’t bother because . . . the GOP has no secret strategy.

  8. JD,

    And it wasn’t the GOP that had their own secret server(s) exposed and they didn’t lie about them. These stupid DemocRATs are living in a fantasy world, because they never learn. Every country on earth knows exactly how they will respond in a given situation. Just one of the more obvious ones was Bin Laden’s 9/11 attacks. He saw Slick Willy’s reaction to the attack on the USS Cole, which was threatening to file law suits against Al Qaeda and didn’t count on Bush’s response.

  9. From the article Emery links to:
    “This was big. Democratic political operatives suspected that not one but two teams of Putin’s spies were trying to help Trump and harm Clinton.”
    This is both the point of the article and is pure speculation.
    Also, is a democrat anti-Trump website.

  10. Regarding the DNC hack, notice that all of their evidence is from their own contractors, not the FBI. OK, given the theft of this much data, why isn’t the FBI involved? It’s not as if James Comey’s boss would be unsympathetic, after all.

    And again, let’s remember; it was the DNC that left themselves open to this, not the GOP. And again, let’s remember; security on Hilliary’s private server was nowhere this good. With up to 35000 confidential emails (including the 33000 “yoga emails” she deleted and 2000 known emails with confidential information), the Russians know an awful lot about our intelligence services now. It is a question of when, not if, they will use it.

  11. Emery, you really ask about a site with headlined articles like:

    Who Said It: Trump or a Bot?

    Is Donald Trump So Popular Because of How He Talks? A Linguistics Explainer (which started with the sentence: “Donald Trump’s fourth grade level of speech could be manipulating your unconscious.”)

    How r/the_donald Became a Melting Pot of Frustration and Hate

    ‘Tramps Against Trump’ Will Trade You Nudes for Voting This Election

    Trump’s Energy Adviser Is Dangerously Anti-Environment

    If You Care About the Earth, Vote for the Least Religious Presidential Candidate

    Shoot Dildos at Donald Trump’s Face in ‘Drumpulous’

    Shall I go on about why “democrat anti-Trump website” or do you need more examples? There are plenty more.

    (BTW, one of my favorite tech websites,, falls in the same in-the-tank-for-any-Democrat category, so is not alone in this category.)

  12. Nerd, please cease and desist on making eTASS pull his head further up his arse as he searches for the NRA quote he quoted.

  13. Bertie, Have you read the article and the associated links? What are your impressions on the forensic work done? Do you believe it was done in a manner to reach a predetermined conclusion?

  14. First, Emery, the whole “Russians stole my lunch!” discussion is silly. The Demonrats aren’t disputing the accuracy of the documents, so changing the discussion to the motives of a leaker is silly, when we should be discussing the behavior that was exposed. Transparency is a good thing, and it’s a good thing that Democrats don’t support (just ask Obama about how his FOIA attitudes have changed now that he’s in power).

    I say nothing about the probability of it being a Russian hack. In fact, I’d bet money on it, although I would NOT bet money on it being a government hack. There a fair number of patriotic hacking groups out there that are aligned with but not necessarily controlled by the government.

    Much of the problem with tracking this to the Russian government is confirmation bias, frankly. “We found APT28 that we think is GRU” is based on the assumption that APTs are only possible by the government, which is bullsh*t. There were Russian hacking circles not controlled by the government even 20 years ago when I was dealing with hacking that were at the level that CrowdStrike seems to believe was there. And that was in the era before an APT made real money.

    What I said is that Motherboard is a Democratic Party oriented website. Their articles certainly don’t have a huge level of balance in party loyalty (not surprising given that they’re Canuks with a fair number of SV writers). Now, if you want to dispute that, I’d love to see your evidence.

  15. Just curious what your IT experience told you. I would deferr to your expertise in that field. Otherwise I don’t have an opinion one way or the other about the info contained in the DNC emails. I am sure the corruption and influence peddling are as bad or worse on the Republican side.

    I would love to see a similar dump of RNC Emails. I imagine half of them would be panicked hand-wringing about how they can’t stop Trump. After all, it’s not as if the RNC didn’t spent the last 18 months attempting to do (basically) the same thing to Trump as the DNC did to Sanders.

  16. Nerdbert,
    my, admittedly limited, experience with TOR suggests that the actual source of the activity could be anyone, anywhere (Norks, Venezuela, China,etc), and that the traceable identifiers would only lead you back to the portal where they surfaced the information not to the actual provider/hacker. Correct me if I’m wrong but that would certainly give a hacker the ability to mount a false flag operation particularly if the exit portal was a compromised server in the Russian equivalent of the DMV.

  17. Emery, the point of such a dump is to demonstrate something people didn’t know already. Plus, you might not see it for a very simple reason; the GOP might, unlike the Democrats, take network security seriously.

  18. /the GOP might, unlike the Democrats, take network security seriously./ And you know this how?

  19. kel, TOR is something I never had to deal with, thankfully. The method when I was dealing with hacking usually involved routing through Free-net nodes or their equivalent, or a subset of easily hackable IRC nodes, or (usually) the MIT public computer labs which were notoriously insecure. They’d usually route through 2-3 of those nodes and you’d have to be online and actually monitoring the network to trace them. I only got involved a few times when someone was trying to route through our universities’ machines on they way to other machines. While I suspect that there was something more nefarious going on, my dealings were with CERT and some of their investigators. It’s the one time I actually turned on connection records for any length of time on my machines and I think they spotted the change in policy quickly enough and wound up leaving for easier pickings. I won’t claim it was my wonderful security that drove them off by any means. (Heck, I survived the Morris worm simply because I was reusing an ancient, weird AT&T unix box as my email gateway and not a fancy new Sun because I was cheap and my time to compile and run software was cheaper and easier than trying to deal with getting another box. Sometimes being lucky is better than being good.)

    As for TOR, my understanding is that it’s not as secure as most folks would really believe. If you look at the TOR routing diagrams you can see that Europe is a total basketcase because there’s essentially one master node that can monitor most traffic, while the US is little better. And if you corrupt the master node and a few of the other major nodes on the network you can monitor the traffic fairly well (e.g. the Playpen takedown, and they didn’t even go after the big nodes in that case). And if you don’t think the French p0wn the master node in Paris, I have a tin-foil hat you need to try on. My bet is that the NSA has the ability to monitor 90+% of TOR traffic at a minimum since I can just about promise you that if they don’t control the machine, they’ll monitor the lines going into the node. Which means that they know who did the hack if they came through TOR. Given that APT28 and APT29 are fairly well known in the commercial sphere, I’d suspect that the NSA has a pretty tight watch on them.

    As for the GOP, remember that they failed to stop Trump, but they did so by attempting to reason with the voters and work within their rules. The key point is that Debbie Downer and the DNC actively and fairly openly tried to scuttle the Sanders campaign, despite a fiduciary obligation not to do so. It’s not like the GOP tried to schedule debates at times when nobody was watching, and to schedule as few as them as possible to protect their Queen. Trump really ran an insurgent campaign that depended on the RNC in almost no way other than to set up debates, while Bernie was dependent on the DNC for mailing lists, etc. And as for network security, I doubt the RNC is better than the DNC , and probably worse. The DNC gets massive Google & MS support, so they probably have better security and it probably lulled them into complacency.

  20. EI: the silence coming out of Russia regarding the GOP means either they didn’t get in, or they didn’t find anything they wanted to use. And if being liberal means you have to act as if Hilliary’s unsecured server doesn’t matter, you’re going to take that same assumption to work with you at the Democratic Party.

    Not a slam dunk, but if that attitude did indeed bite them on the arse, all the sweeter.

  21. About the email; with rare exceptions most corporate/non-profit email servers are usually only as secure as the dumbest user. While there’s a lot you can do to secure them the problem lies with the users who REALLY don’t want the inconvenience security requires. How many DNC users wouldn’t click on a link titled “picture Trump and orangutan separated at birth!”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.