Finally, the Senate Report on the 'hacking' of Judiciary files by Republicans has been announced. The technically illiterate, such as the Washington Post, or those willing to jump to conclusions like Calpundit are amazed at what they seem to describe as dramatic new revelations. Of course, if you've been reading here over the past few weeks, you know the score.
Except there is a dramatic revelation: the stupidity of Senator Leahy's flunky is even worse than I might ever have guessed. Now, knowing how careful I am to avoid unnecessary offense, some of you might be surprised at the strong words. I use them only because I'm furious.
This entire scandal is only happening because some untrained newbie was assigned to the Committee, and made the most basic mistake: he didn't secure the home drives of new committee members. That Senator Leahy can show his head in public is amazing: this is a staffing error of the most magnificent incompetence. Whatever should happen to the Republicans involved, some Democratic heads should roll on this one, starting with a Chief of Staff. [1]
The details are in the cut below. I probably don't have time to do this kind of analysis, but I think it's important that someone who's been there speaks out on this one.
What the Report Said Happened
The report gives a very clear idea of what happened. Calpundit has leaped to a number of bizarre conclusions, such as that, "whatever method Lundell used couldn't have been all that obvious if he had to watch a computer tech in order to figure it out." But this is ridiculous. I wouldn't stumble on this flaw, not because I don't know how to do it, but because on any system on which I've been involved, no mistake this dumb has ever been made.
Let's give a step-by-step, idiot's guide to how the files were 'hacked,' that you can play along with at home if you're on a network and running Windows XP. (If you're a CLS student on Columbia's netware network, this may indeed work a treat. Your mileage may vary, though--if you're not on a client-server network, you are running a different operating system, or your system administrator didn't get his training from a CrackerJack box and he's limited your access, none of this may work.)
1. Double click on My Network Neighborhood on your desktop.
2. Click on the 'View Workgroup Computers' link on the left. (Your mileage may vary from here.)
3. You should now see a selection that allows you to do all sorts of things. I'm on a competently-run network right now, so my access is limited, but you should be able to see a network directory, your connections to other computers, and a certain number of share directories. You can map these to network drives, if you'd like. This is perfectly acceptable, 'good practice,' and something a 'power user' ought to be permitted to do.
4. Now, if you're on a corporate network, you might run across a directory somewhere that says USER, or something like that. After hitting these folders, you should start getting all sorts of interesting errors. "You do not have access to this folder," for instance. You might even see what looks like folders assigned to specific users, but not be able to enter them. Unless you're on a server run by Senator Leahy, in which case, go to town.
(This process, incidentally, is almost certainly what the user saw over the SysAdmin's shoulder. It's not basic computer use, but it doesn't take rocket science, either. Many of my users knew how to do this back in the Senate, mostly because they didn't know how to use their network drives. The only reason I'd not have stumbled across this is that it's too damn easy: unless you were conducting a security audit, no one who knows about this would even bother to try it. Unless your SysAdmin's a monkey.
My guess is that what happened was this: The SA comes over to fix Mr. User's computer. The User watches with interest, because, well, he's got not much better to do. The user understands how Network Neighborhood works. At some point, SA wants to get some files off his machine, or some other directory, and although he's still logged on as Mr. User, he clicks directly into his home directory. "Hmmm?" says Mr. User, who figures something's not right. "That shouldn't happen. If I can get into the SysAdmin's folder, who else has vulnerable folders?" It's not that the process is complex, as Calpundit implies: you'd just assume that no hole that blatant was there until you saw someone do it.)
A Brief Digression on Incompetence
The SAA report linked to above is 'redacted,' which means that every actor is mentioned as 'Mr. ________.' Trying to figure an accurate chronology from a document in which all the actors are the same is difficult, but piecing it together, the salient bit is this:
Our investigation revealed that some user home directories were set to �open� permissions and other home directories were set to �strict� permission. This appears to be a result of the Judiciary Committee Network having two System Administrators during the time frame in question. One System Administrator had very strict account policies in place and the other did not. An analysis of the creation date and permissions of various user accounts was performed and supports this. (Attached at �M� is a chart H: Drive Permissions Analysis Including Start/Creation Dates).
Users accounts created prior to August 2001 were generally created with �strict� permissions; those established after that date were �open.� Of the 126 users whose folders were available for forensic analysis, there were only nine exceptions to this general pattern. Four of these exceptions were Nominations Unit staff whose files Mr. _____ admitted protecting.
This is a bit misleading. One system administrator didn't have an 'open' policy. The report strongly suggests he simply didn't know what he was doing. I've worked on more networks than most people my age, and I've never met one with unsecured user home drives. Securing a user's home directory is one of the basics of Senate systems training, and anyone who's been to the course will have nicely printed step-by-step instructions. Of course, Senator Leahy didn't require this:
Like some other Senate offices, the Judiciary Committee has historically been staffed with Systems Administrators who preferred to perform most computer-related tasks themselves. This has been true even if they had only minimal technical experience before becoming the Committee�s System Administrator. There is no minimum level of proficiency required to obtain a System Administrator position, and there was a considerable variance in the proficiency levels of the Committee�s different system administrators. Notably, the records of the Senate Joint Office of Education and Training reflect that Mr. _____ only attended two technical training classes during his tenure, neither relating to the NT Administration.
The SAA is correct in this respect, but fails to mention exactly how ridiculous this is. Most staffs have highly technically-competent SysAdmins, or at least they did in my day. I don't recall meeting
anyone who would have thought this was a reasonable security setup.
These are home directories that were unsecured. And Leahy obviously didn't require whoever he hired to attend even a simple five-day course.
I'm being scathing of Senator Leahy particularly because there's no excuse for this, and it's endemic of a problem I experienced while I was at the Senate. Despite the Sergeant At Arms providing amazing training courses, the time which Senators will give their (often underpaid) staffers to attend them is often miserly. In this case, it cost the Senator dearly, because this is the kind of security problem that should never happen. Words do not exist to express my disdain for a man who puts an almost completely untrained college graduate in charge of a server on a highly partisan network.
Why Does This Matter
OK, so Leahy doesn't train his people, and the staffer involved wasn't barely competent. Why does this excuse the Republican staffers involved? The answer lies in the way that computer security operates.
Throughout this scandal, there's been a lot of debate, both here and elsewhere, about the appropriate metaphor which can be used to relate this to the technologically inexperienced. Simply put, I've abandoned this approach, because I'm not sure such a metaphor exists. Is it 'keys left on the table' or 'wallet lying in the Capitol rotunda?' Such questions are futile. A computer system is metaphorically similar to 'space' in a way, but because a server is configured, it's also similar to a 'servant.' We can dance around the issue like this all day long, but the only thing it will prove is that no comparative given by a Sysadmin to a non-administrator will be absolutely relevant.
The basic idea of a client-server network is that the user, through a client computer, makes requests of the server. The server, which is administered by a systems administrator, then checks whether the user has been authorized. If she has, the computer serves up the information, be it a listing of directory contents, a file, or a piece of system data. When you log on, you identify yourself, and the network should then be able to tell what you have access to see, and what you don't.
This means that the SA's role is key. He's the agent to whom the owner or operator of the network (in this case, Leahy) gives the responsibility of assigning permission. He's the man who grants access, and if access is improperly granted, it's on his head, not the users.
There's good reason for giving him the responsibility: an SA's responsibility should be the protection of his users. He's supposed to be more skillful, more competent, and more aware of his network than anyone wandering about it, so that his users don't have to worry about unauthorized access. Indeed, by definition no access of a user who is properly authenticated can be unauthorized: whatever authorization he has derives from the permissions assigned to him by the SA. Only if he 'hacks' the system, i.e. exceeds the permission given to him by the SA can his access be unauthorized. Simply put, Miranda didn't steal any files because Senator Leahy gave them to him.
Why make this distinction? It protects users who aren't skillful against trouble. The last time I posted about this, I gave a concrete example, which I'll repeat here:
Click this link.
Congratulations. You're now seeing a directory listing Three Years of Hell's images, which I've left completely unsecured. You can take a peek in any of the directories to see some of my artwork, the pictures I occasionally post here, and whatever else. However, you could always have seen that directory without me explicitly linking to it. If you've got even a layman's knowledge of HTML, right clicking on my homepage and looking at the code would have shown you that directory. Now, suppose I had some private information in there--my grades from last term, for instance, which I'd uploaded so that an employer could check them--and you opened it up.
Do you think you would have done something criminal? Immoral? Why? Sure, right-clicking on my page and reading my source code is a bit more involved than most users bother with, but it's not rocket science, and anyone who's set up a blog would know how. Because I 'obviously didn't mean to provide it?' But I'm a trained and experience professional--indeed, my training is exactly what a Senate user should expect it to be--and I can be expected to secure that which I think should be secret. It's a viable assumption that I simply didn't care.
The fact that the onus is on me to secure my files may encourage those with ill-will to go snooping. But it also protects people from liability for what they think is perfectly innocent. The model is that you're permitted to see whatever the owner has instructed the server to serve. In this case, Leahy delegated the task very, very badly, but that doesn't change the basic assumptions that lie underneath network security from day one.
But certainly this is all ungentlemanly, isn't it?
Some of you are saying, "Well, that's all very technical, Tony, isn't it, but this is just wrong. Whoever did this knew they were acting unethically, whatever the view from the SysAdmin's office?"
I'm sure they knew it was naughty, but that doesn't mean unethical. Indeed, it's one of those cases where the more you know about the activity, the further from unethical it looks. To the New York Times, this is 'hacking' and thus obviously theft. To a Democratic systems administrator, it's an ethical lapse on the part of the Democrats. As he points out, if Leahy were the head of several types of companies, he might be facing criminal charges right now.
But don't take my word for it. Take Senator Kennedy's.
Late last year, one of his aides opened her mailbox to find an email from a staffer in Senator Hatch's office. Attached to this email was a memo that was clearly misdirected. Nonetheless, she sent it on to several colleagues. Senator Kennedy's talking points on this matter include the line: "There was no impropriety, as the information sent to [Olati Johnson] was not confidential or privileged information." Kennedy had no problem with an aide handing on a document that clearly didn't belong to her when it had been misappropriated through the fault of a user. But when it was misdirected through the fault of an administrator, a standard which should be higher, he's talking of the next Watergate.
Simply put, Kennedy wouldn't have any problem with "impropriety" if it hadn't been Democrats caught with their pants around their ankles. And despite the fact that even Democratic security specialists think this is pathetic, there's not a sign that Leahy or Kennedy have any appreciation of the egg on their face.
Once more I'll say that I'm not really happy with how the Republican staffers handled themselves. In a certain sense, this is ungentlemanly, and whatever I think of Kennedy's standards, a gentleman's should be higher. But this shouldn't be criminal. Making in 'unethical' exposes actually ignorant users to the risk of breaking the law without knowing they've done it. And frankly, it didn't require several thousand dollars and months of the Sergeant at Arm's time to figure out what any SysAdmin could have told you months ago: if you put someone untrained in charge of the castle gates, don't be surprised when the drawbridge is down.
[1] I've probably just made certain that I never get hired in the Senate again, since insulting Chiefs of Staff isn't a great career option. But in this case, whoever was responsible deserves it.