from the do-as-I-say dept.
Second-rate opsec remained pervasive at the United States' National Security Agency, according to an August 2016 review now released under Freedom of Information laws.
It's almost surprising that the agency was able to cuff Reality Winner, let alone prevent a wholesale Snowden-style leak. The Department of Defense Inspector General report, first obtained by the New York Times, finds everything from unsecured servers to a lack of two-factor authentication.
The formerly-classified review (PDF) was instigated after Snowden exfiltrated his million-and-a-half files from August 2012 to May 2013.
"NSA did not have guidance concerning key management and did not consistently secure server racks and other sensitive equipment in the data centers and machine rooms" under its "Secure-the-net" initiative, the report says.
Data centre access is supposed to be governed by two-person access controls, the report notes, and the rollout of 2FA to "all high-risk users" was incomplete at the time of writing.
The agency had too many users with admin privileges, the report continues, they're insufficiently monitored, and the NSA had not cut the number of agents authorised to carry out data transfers.
Giving the NSA more funding could probably fix it.
A former National Security Agency employee who worked at Tailored Access Operations has pleaded guilty to willful retention of national defense information, the same charge Harold T. Martin III faces:
A former National Security Agency employee admitted on Friday that he had illegally taken from the agency classified documents believed to have subsequently been stolen from his home computer by hackers working for Russian intelligence.
Nghia H. Pho, 67, of Ellicott City, Md., pleaded guilty to one count of willful retention of national defense information, an offense that carries a possible 10-year sentence. Prosecutors agreed not to seek more than eight years, however, and Mr. Pho's attorney, Robert C. Bonsib, will be free to ask for a more lenient sentence. He remains free while awaiting sentencing on April 6.
Mr. Pho had been charged in secret, though some news reports had given a limited description of the case. Officials unsealed the charges on Friday, resolving the long-running mystery of the defendant's identity.
Mr. Pho, who worked as a software developer for the N.S.A., was born in Vietnam but is a naturalized United States citizen. Prosecutors withheld from the public many details of his government work and of the criminal case against him, which is linked to a continuing investigation of Russian hacking.
Related: "The Shadow Brokers" Claim to Have Hacked NSA
The Shadow Brokers Identify Hundreds of Targets Allegedly Hacked by the NSA
Former NSA Contractor May Have Stolen 75% of TAO's Elite Hacking Tools
NSA Had NFI About Opsec: 2016 Audit Found Laughably Bad Security
Reality Winner NSA Leak Details Revealed by Court Transcript