SoylentNews is people
SoylentNews
Minor convictions for ex-CIA coder in hacking tools case
A former CIA software engineer accused of stealing a massive trove of the agency's hacking tools and handing it over to WikiLeaks was convicted of only minor charges Monday, after a jury deadlocked on the more serious espionage counts against him.
Joshua Schulte, who worked as a coder at the agency's headquarters in Langley, Virginia, was convicted by a jury of contempt of court and making false statements after a four-week trial in Manhattan federal court that offered an unusual window into the CIA's digital sleuthing and the team that designs computer code to spy on foreign adversaries.
After deliberating since last week, the jury was unable to reach a verdict on the more significant charges. They had notified U.S. District Judge Paul A. Crotty on Friday that they had reached consensus on two counts, but were unable to reach a verdict on eight others.
Previously: Suspect Identified in C.I.A. Leak was Charged, but Not for the Breach
(Score: 2, Interesting) by Anonymous Coward on Wednesday March 11 2020, @01:30AM (1 child)
According to ZeroHedge:
"Trial witnesses guided jurors through a complicated maze of forensic analysis that, according to prosecutors, showed Mr. Schulte’s work machine accessing an old backup file one evening in April 2016.
"He did so, prosecutors said, by reinstating his administrator-level access that the C.I.A. had removed after his workplace disputes."
(Source: https://www.zerohedge.com/technology/trial-alleged-vault-7-cia-leaker-ends-hung-jury) [zerohedge.com]
My question: What was this "administrator-level access" that the Central Intelligence Agency (CIA) removed after Mr Schulte developed a conscience?
I've been installing, debugging, upgrading and managing single sign-on (SSO) and identity access management (IAM) infrastructures for three decades. Yellow Pages (YP), Network Information System (NIS), OpenLDAP, PowerBroker (PB), Vintela Authentication Services (VAS), Active Directory (AD), Kerberos, and one company - Oracle - that pushed /etc/passwd files out, manually, every 24 hours (tip of the hat to Don Beusee, probably the one who designed it, because he nursed it, 24x7), as well as a few outliers that I might remember with some cudgeling.
The central concept behind such systems is to render such authorization impossible. And so I infer that the organization does not use a central authentication system - although I infer that Kerberos, recompiled to disable expiration of tokens, might provide such a vulnerability.
My best guess is that some manager deleted the corresponding client-side key for the server in question from the ~schultej/.ssh/ directory - even if they don't use any central authentication mechanism on the workstations, they must still use central storage, IE, the Network File System (NFS) - not realizing that Schulte kept backups.
Separately, it is entirely possible that they DO use a central authentication mechanism, that IS tightly integrated into their Programmable Authentication Module (PAM) stack, such as Vintela - but that each user has root privileges on their own workstation, and, as a rite of passage, immediately bypasses the standard issue security mechanisms by creating a local login and root-equivalent login. Perhaps they are even allowed, even encouraged, to install the operating system themselves, from a list of approved choices, with the security mechanisms baked in.
It's not like this problem wasn't solved back in, like, 1986. I, personally, designed and deployed such a system at Network Equipment Technologies (NET), that detected, and, optionally (in the case of TAC workstations), countered, local changes to administrative files such as /etc/passwd.
Like Tripwire, but with the ability to put things back, the way they were. I concealed it in the /... directory - you read that right, quit rubbing your eyes.
Which reminds me of a story, which is not entirely irrelevant.
My system was so good that a local contractor, named Bjorn Satdeva, tried to present the scripts to the first LISA Conference, in Monterey, California, as his own work.
Man, you shoulda seen the look on his face when he recognized me, sitting in the crowd, looking at him, presenting my work.
I was working, at the time, at AMPEX R&D. Bjorn Satdeva was the contractor they'd located to fill in for me, at NET, after they fired my manager, at NET, and I had resigned.
I hear they had to hire five people to replace me. Just sayin'.
Bjorn made no attempts to contact me after I left NET; and, AMPEX was just across the freeway, there, in Redwood City - only a half a mile away.
More evidence of chicanery can be inferred from the history of Bjorn Satdeva's employment, possibly unpaid, as some sort of honcho for USENIX. He'd been elected based upon the strength of scripts that, it gradually became known, he was not the author of.
And, I think Bjorn did the same thing, a second time, presenting someone else's work and taking credit for work he had not done - although this time he positioned himself as a coauthor instead of taking it outright.
Things came to a head when the USENIX offices in Berkeley were burglarized and all the copies of the USENIX Journal that contained the scripts in question disappeared. About the same time, Bjorn was, if I recall correctly, removed from office, at USENIX. Or maybe he quit. Anyway, their relationship ended.
USENIX never contacted me. But I'm pretty sure they knew who I was. I think they could not bring themselves to stand behind someone who had dropped out of high school and didn't have a college degree. Fuck you, USENIX.
I've often wondered what ever happened to Bjorn Satdeva.
I suspect he is probably a systems administrator for the Central Intelligence Agency (CIA). There seems to be a good match there. They seem to like script kiddies.
Me? Nowadays, I'm unemployed, because everyone knows that people over 40 can't program, and have nothing to teach.
~childo
(Score: 1) by anubi on Wednesday March 11 2020, @01:49AM
You know too much. You have to start your own company. Nobody wants someone working for them which is better than they are. Who is qualified to be your boss? Getting the job done is not what they are looking for. They want an obedient subordinate, hopefully saddled under lots of family obligations and debt.
Companies rapidly grow into leadership entities. Everyone at the top gets paid like a gentleman. At that level, getting paid is top concern. Whether the thing they make met the customer's need is a minor concern to be settled among the minions.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]