re: #82 wheat-dogghazi

As a former IT guy, I wonder if Snowden’s employers had any earthly idea what a sysadmin can do if he has no scruples. During my short stint as an IT coordinator, I had free rein over the Exchange server, the website, everyone’s personal folders — everything but the financial stuff, which was on a different system.

In any federal organization, this sort of thing isn’t determined by leadership. There are protection profiles and security guides that are developed by subject matter experts that go down to the option-tweaking level. The problem is that you’re dealing with systems that allow user switching but have user-specific access privileges that exceed that of the sysadmin. Unlike NBCNews, I don’t think this takes some sort of super genius to exploit this as a sysadmin.

Fixing it would either mean reading sysadmins into every intelligence compartment, or nerfing the user switching capability somehow. I’m guessing that neither option was considered really feasible. However, I can fault them for either not setting up or ignoring critical audit flags whenever these sorts of privilege-increasing switches were performed.