Slashdot Mirror
CIA Chat Room Violates The Company's Policy
code_rage writes: "An article in the Washington Post says that some 160 employees and contractors of the CIA are being investigated for operating an unauthorized chat room. Two of those accused are "innovative, out-of-the-box, unconventional thinkers - these are essentially the hackers of the CIA, in the most positive sense of the word."
The article raises issues of national security, workplace monitoring, and worker's legal rights. Although security was not compromised in this case, the prospect of unauthorized software running on secure computers might be a little troubling. The article says that senior employees have a keystroke monitor installed on their computers. The 5-day timeline demanded by The Company for response to accusations, seems to preclude the employees the ability to consult with legal counsel, given that clearances take months to be approved."
One or two employees and I could understand an investigation like this.
CIA or not, if 160 employees decide to break the rules in this way, isn't it just a sign that their employers aren't providing them with the (legitimate) resources to do their job effectively?
They could restrict these people and not get the best out of them, or they could work out a compromise. Since a lot of people are going to be watching this and it'll be setting an example to big dumb executives everywhere, I hope a compromise is what happens.
===
China was "allied" with the Soviet Union only from the brief period of 1949 - about 1960. After that (and this was before China developed the bomb), there was great animosity between the two governments to the point where several small battles were fought.
From you second assertion, I seriously doubt you do know history. The primary purpose of American nuclear deterrence was to prevent the Soviets from dominating Western Europe. Southeast Asia and Asia in general were much less important as the Soviets concentrated their forces on their eastern borders
Okay they suspended the culprits for the past six months with pay [i'd love that!].
They don't say how many of them, but I guess we can assume that those who were suspended are at least the cream of the 160 that used the IRC.
What manager in his right state of mind can just suspend their best IT staffers - for six months?
Either they found someone else to do their jobs - which makes the discussion futile, cause then they will sack the offenders anyway - or, given that it's the CIA - they just leave the work undone...
Think about it. For six long months the creme of CIA techs doesn't get to work. Isn't that an invitation for everyone else to get busy while the yanks got their pants down?
I honestly do believe that the U.S. is the vulnerable to cyber warfare, simply because they have every man and his dog running through the Net.
Then they turn around and suspend the first line of defense, cause they were using their brains [which is what the CIA has hired them for, in the first place].
They should let h4x0rz run the Agencies. Would save them a pile and get more results...
Everytime I feel compelled to explain things this obvious, I worry that I've been trolled.
You're obviously not alone. I've never had a comment moderated around the block the way this one has. The comment was made tongue-in-cheek. I'm well aware of the gravity of the situation working for the CIA. When you go in there, you play by their rules, no exceptions. I just find the whole situation a little (black) humourous.
Note that there was no disclosure of classified material here, just violations of Policy.
If you have a job to do, you do it. If you try to go through all of the Proper Authorities, you'll have long grey whiskers by the time you get their formal rejection.
I'd be willing to bet that the "authorized" software on the computers in question was some version of Windows, Microsoft Office, and a couple of buggy, inconvienent, locally written Visual Basic programs for filling out timesheets and accessing databases. And nothing else.
I'm sure every Slashdotter has a list of extra programs that need to be installed on any Windows system to make it halfway usable. (The last "unauthorized" program that I loaded was bzip2. Big scary threat, that.)
The point of "policy" is generally to cover the arses of the Powers the Be; if anything goes wrong, it's because "somebody violated Policy". I have worked in a number of secure environments; I have never seen one where *all* the Policies were followed. Scenario: You're the only one in the office when you are hit with A Sudden Need. Do you (a) Shit in your pants, (b) Carefully collect all of the classified data from your desk (and everybody elses desk, if you're watching their stuff for them) and lock it in the safe. Don't forget to sign the logs, or (c) duck down the hall to the loo and hope that nobody notices. Policy, of course, says (b), with (a) as the only alternative. Of course, (c) would leave your classified data open to any Soviet spies[1] who happened to sneak past the armed guards at the gate.
It's not just the Government; look up Randall Schwartz to see just how bad it can get.
[1] Yeah, I know. There hasn't been a Soviet Union for ten years. The US Department of Defense and State Department (the CIA is part of the State Department) have been busily trying to put it back together, as it was the only justification for their existance.
--
Welcome to the Turing Tarpit, where everything is possible but nothing interesting is easy.
Of course they tried to hide what they were trying to do! What would have happened if they had gone to the brass and said, "Um, we'd like to set up a chat room on the computer network. Don't worry, we won't let anyone in without an invitation. And we certainly won't open up any security holes. Okay?"
For obvious reasons, CIA employees are required to abide by very strict rules governing, among other things, what they may and may not do, who they may and may not talk to, and where they may and may not go. These rules are meant to be followed to the letter (the former director who used his home computer to create a top-secret document notwithstanding). Any violation of these rules means that security may have been compromised. I'm sure that potential security breaches worry the CIA brass just as much as actual ones, because when you find a hole, you really can't be certain that something didn't get in or get out through it.
Unfortunately, the above rules conflict with basic human nature. We are inquisitive animals, and we want to explore systems, whether they are computer systems, social systems, philsophical systems, etc. As soon as people are told not to do something (especially if they aren't told the (real) reason for the rule), they become even more interested in the forbidden behaviour than they were before. If you restrict a person's freedom to explore, there is always the chance that he will go ahead and explore anyway, and if he's smart, he'll go to great lengths to avoid detection of his activities. (Hmmm ... sounds like one of the prerequisites for becoming a spook. Maybe they should give these guys medals.)
I'm not really surprised that this happened, but if the CIA were really as paranoid about security as they should be, this would have been uncovered much sooner.
Yqy...K ecp'v dgnkgxg aqw cevwcnna vqqm vjg vkog vq vtcpuncvg oa uki. Kh aqw vjkpm vjku ku tkfkewnqwu, tgcf oa dkq.
What is the great danger of running a chat server again? Who was it that was going to 'root' their box?
Most of the data is probably on a need to know basis and compartmentalized on the systems. In this case, outside means from one office to the next. The idea is that even with the best background checks, someone could manage to slip in. The less each person is told, the less they could leak. The IRC server probably violated the compartmentalization (at least potentially).
- The CIA network, by its very nature, must be one of the secure LANs in the world. By installing unapproved software on an unapproved server, they may have inadvertently placed the security of the entire network at risk. While the article dosn't specifically mention what software was used, I seriously doubt that a security audit was performed on the source to verify that it wouldn't open up any holes.
- The chat room created the potential for inadvertent security leaks by allowing unmonitored communications between non-authenticated personnell. Think about it this example, two CIA buddies regularly converse via this chat room during their lunch hours. One day, someone else (either internal or external to their network) gains access to the chat room and masquerades as one of the two regular users. When the other guy comes on, he sees the screen name and automatically assumes that it's his buddy, mentally placing him in the trusted category. Now, when this guy asks him what he's doing today, he probably wont think twice about telling him. Voila, he's just breached national security without realizing it.
As I said above, these guys should be disciplined, and they should probably be forced to re-take the security training classes, but they have showed creativity by solving what they saw as a communications "problem", and by keeping it operational on a heavily secured and monitored network for over a year without detection. These sound like the kinds of guys who would make excellent electronic intelligence agents.There is nothing so pathetic as seeing a beautiful young theory roughed up by a tough gang of facts.
Although it might not seem right at first, these employee should be punished as this was a true security violation. The best way to secure a network is to not to avoid things that are known to be unsafe, but only allow things that are known to be safe.
int func(int a);
func((b += 3, b));
It is not too hard for me to imagine a company freaking out if an employee, without permission of IT or whoever, set up an IRC chat server within the company network to chat with coworkers.
I've dealt with (but not worked directly for) companies in that past that won't allow their employees to even run IM clients like AIM or ICQ due to fear of them wasting time and goofing off...Having an internal server running on a company system without permission just adds (in the PHB's mind) to the inappropriateness of that goofing-off action.
The main problem here is that there is a big difference between national secrets and software secrets and ideas. The concepts of physics are not secrets because they are obvious and necessary in many situations. But if you have step by step discussion on how to make say hyrodgen warheads in a secretive environment it is not very appropriate. A country like China dosn't have those little things we call a sense of ethics concerning the use/abuse of nuclear weapondry. Nations have to keep secrets all the time to defend against the possibly indefensible. It's all about strategy.
Respond to s
The Company for response to accusations, seems to preclude the employees the ability to consult with legal counsel, given that clearances take months to be approved
For the job I'm currently working, I had to sign an Employee Dispute Resolution agreement. It basically says that I can't sue them and they can't sue me until we have gone through a resolution process, which involves at some stage an outside mediator. The result is that most disputes are handled internally, without causing harm to the company while still providing a resolution satisfactory to the employee. Signing this made me very nervous, needless to say, but after reviewing the procedure, it seemed reasonable to me.
The point is, if my non-Top Secret company had such an agreement, it wouldn't surprise me if the CIA, a group which would be very concerned about public resolution of disputes, had such an agreement.
Isn't it because, as it's CIA internal stuff, and legal council would have to get security clearance in order to work with them?
I mean, seriously. THe people involved her have security clearance, are supposed to be EXTREMELY WELL TRUSTED.
Finding out they did something that was against policy.. what do you expect?
Besides.. they don't *NEED* to consult with legal council; nobody's putting them on trial!
Do you think the hardware keystroke monitor you look for in the back of your computer can't just as easily be incorporated into the motherboard? These corporations have deep pockets...
That's old shit man. What do I do?
A) I use special goggles (LCD ones that emit NO radiation someone might peek at to follow the refresh cycle)...but, of course, you can't just plug that into a computer! They could have the video card tapped!
No, what these bad babies do is run strong encryption on anything they see that has their "encryption tag" on it...Anything on the computer screen between certain tags (they look like funky barcodes) is translated using 128-bit RSA encryption into a corresponding real image. They work within a 100 degree field of view, take megapixel shots, and analyze them surprisingly fast (you get like 3 fps), putting them back in the same aspect they were originally in. So you end up with a screen that has part of it looking like it has static on it, the rest normal. When you put on the goggles, you get the static stuff to look normal, except only changing about three times per second. Naturally, the rest of the goggles (the part not doing any unencrypting) have good refresh rates, so everything else looks the same as without the glasses.
B) But then, of course, it's not enough to have the computer print out garbled (encrypted) output, They could just have memory snoops! So, what I do, is I run NOTHING on my local machine. I run it all off of a server I have set up at home for which I have, essentially a custom remote access tool, which will serve you a page that via java gets the garbled screen (that is, its not even sent out unencrypted) and puts it out on your screen. Of course, it doesn't get plaintext keyboard/mouse commands, either, which brings me to
C) I use a special mouse and keyboard which both strong-encrypt (again, 128-bit) every keystroke and mouse-movement (each key ends up sending a few hundred, each mouse movement, too, since for java reasons I send only ASCII text keys and translate everything into that), and so it's no problem if They see exactly what's sent out from the keyboard...They'd have to see the keyboard physically to know what keys I'm hitting....which, of course, They can't, because I cover the whole portion of my desk that I type over with a thick blanket of industrial-level (not just medical-level) radiation shielding that blocks all visual clues to where my hands are, as well as infrared and xray. Not even radio noise escapes, which might otherwise let them analyze what the keyboard does internally. A portion of the shileding even goes all the way to my elbows, so They can't analyze the muscle movement of my forearms to see what keys I might be pressing.
D) The mouse and keyboard have a private key based on the goggle's changing public key, and my home server invalidates them every 15 seconds, so that when the goggle is not connected to the keyboard/mouse, or to put it another way, if the keyboard and mouse are every picked up by Them and anaylzed, They won't be able to talk with my server anymore. So how does the goggle get its private key? Based on both 1) scanning my retina, which alone isn't enough, of course, since They could also do that and get my private key anytime, but also 2) having a SHIELDED component that accepts a miniture disk with closed casing that's light-encoded, so that with a single motion I can destroy all data on it by exposing it to light.
Now, granted, it might seem excessive to spend upwards of $75,000 on equipment only to end up wearing this heavy goggle set physically connected to a keyboard and mouse that are all under heavy xray/radio/infrared shielding, but, gentlemen, I assure you, with my setup, I can be totally 100% sure that my Company has absolutely no idea that I'm really just playing Quake. And that kind of peace of mind, my friends, is worth 3 fps.
So much for keeping our intellectual secrets from China. Oh wait, they already know how we make our nuclear bombs.
And you would do what? Slap chains around their ankles? If you didn't get riots you'd get some quite demoralised and less effective workers. They should be (and hopefully are) trying to work out what's wrong with the working conditions that caused people to do that -- not slapping punishments on everyone, demoralising them even further.
What I'm trying to say is that if 160 people are breaking the rules, obviously the rules aren't designed well enough to accomodate people effectively. When rules are made too inflexible to fit people, they'll get broken and so there's not much point in having them anyway. Show a bit of respect by allocating some freedom for people and they'll usually surprise you.
The CIA is a special case and there would be some specific things that couldn't do, but it's in everyone's best interests that the people working there are enjoying what they do. For example, if they don't want unchecked s/w running on their network, perhaps they need to create a seperate intranet where employees can run unchecked s/w.
===
"Don't be paranoid, what do you think this is, the NSA?"
"innovative, out-of-the-box, unconventional thinkers
Someone at our government being unconventional? whoa....whoda thunk it?
But really, these people work at the CIA, did they think they wouldn't get caught? or were they expecting to lose their laptops before they did get caught.....
The anti-salmon
"The serious thing for us is people willfully misusing the computer system and trying to hide what they were trying to do," said one intelligence official. "If they were doing this with the KGB's computer system, we'd be giving them medals. Sadly, it was ours."
Now here's a perfect double standard. Fuck with the enemy's systems, and we'll give you a medal. Do the same with ours, and we'll shoot your ass. The funny part is that it was a chat room. Chat rooms are forums for essentially free speech. So the enemy probably would shoot you for attempting to practice your right to free speech. Thus, we have a situation here where they'd be damned by both sides.
This has all the smell of bad political infighting. As the Washington Post article points out, it seems "highly suspicious that all of those supervisors, not to mention the numerous component network administrators and security personnel, were unaware over a period of years of illicit computer usage by a group of 160 personnel". So something happens, and somebody who does know about this particular skeleton digs it up and uses it against "several officials, including members of the Senior Intelligence Service, a cadre of career officers at the upper reaches of the civil service system". They wind up with letters of repremand in their folders or worse, fired. In any event I strongly suspect there's a lot more going on that we don't know about - yet.
The Associated Press just released an article on this topic.
Spy Agency Investigating 160 Employees, Contract Workers for Unapproved Site
WASHINGTON (AP) - The CIA is investigating 160 of its employees and contract workers for exchanging "inappropriate" and off-color messages on a covert "chat room" in the spy agency's classified computer network, The Washington Post reported.
more
--
--
He lives in a world where those who do not run the client software of the omnipresent meme are unacceptable.
Seems like these guys are really good resources to understand and deal with computer crimes and other computer-related operations. Why would CIA want to criminalize them, leaving only meek people behind? Sure, that's gotta make them more savvy and efficient as an organization.
Seems to me that what these people were doing is pretty harmless from a national security point of view. If their management does not trust their intentions and their judgement skills, they should not have hired them in the first place.
Now, instead, they will make CIA an organization only for dead weights.
I'm more of the "What the hell did they think they were doing" mind. You seem to mention that the CIA is "not your standard business" as an aside. I think its the most important point. These people should expect to be spied on. They are in a highly trusted position. These machines should be as secure as possible. Running unauthorised software on it, even a home written version of "Hello World" should not be allowed. These are key machines. They should be as secure as is humanly possible. The rules should not be stretched, bent, or broken, no matter how stupid. These people should be perfect. They should not have any privacy from their employer, and they should accept that.
seineeW erA srekcaH IBF
"I have not failed. I've simply found 10,000 ways that won't work." --Thomas Edison
I found it interesting, that the article said, "...which CIA investigators discovered while performing routine computer security checks..." Then later said, "...'This activity has apparently been taking place for some time...'" If it was a routine check, then shouldn't they have caught it before it got out of hand? The only reason they didn't, that I can think of, is they wanted to catch the guilty parties involved. I don't feel sorry for any of the parties involved because they breached their contract.
"The quality of life is determined by its activites."--Aristotle
Perl.
nal 11
"I'm sad to see that, as usual, the control freaks of the world are eager to lynch anyone who makes 'unauthorized use' of a computer."
In this case, it wasn't just "unathorized use." The chat room was inside a classified network. Even though the CIA admitted that nothing was compromised, in due time, it may have been. Having a publicly-accessible chat room on a network just like the CIA's is an invitation to jump into the network, and that's a big security no-no.
Read the article next time. HTH HAND
--
--
The real Raunchola isn't cool enough to have any imposters
As the Captian from Chrimson Tide put it so elequently:
were here to defend democracy, not uphold it.
I have this picture in my head of Tom Cruise hanging from an air vent and installing BitchX on his laptop...
Hey this violates the CIA policy then they should get repremaned. At any job if you use the computer for non work related items without permission then you will get in trouble. Hell this is the CIA. I am not surprise they are finding themselfd without a job.
It looks like simple security policy enforcement to me.
Think about it: they ran a public server from an internal network that has access to sensitive information. This is very bad, security-wise. What would happen if somebody outside rooted their box? Depending on the information that could be accessed, people could die because some morons were running some IRC server.
This wouldn't be the first organization that's fired employees for breaking the security policy. This story fills me with nausea.
--------
Life is a race condition: your success or failure depends on whether you get the work done on time.
If those CIA computers have keystroke monitoring software/hardware installed, I certainly hope they're connected in a way that doesn't allow someone other than their boss to monitor them.
I'm just waiting for the day when everyone gets a neural implant that automatically detects non-business related thoughts during company hours. After all, we provide the air that you breath. It is against company policy for anyone to have independent thoughts while breathing the company's air.
Just because you can legally treat your employees like serfs doesn't mean that you are obligated to do so.
A smart manager might ask, Why was this software installed and why was it so popular?
Mea navis aericumbens anguillis abundat
Good point. The CIA might have situations where they depend upon compartmentalization: they might give the same data to two groups and compare the results, or they might give pieces of the data to different groups in an attempt to disguise a common origin. The organization may prefer for information to not leak between groups.
While I might normally agree with your "he who is without sin gets to cast the first the stone" argument, I'd have to say that at my workplace Slashdot goes through a proxy/firewall and I'm forbidden by company policy to install unauthorized software on my desktop. Web pages in general would therefore be perhaps off-topic and constitute "theft of time" from my employer, but they would not be a security risk in any sense of the word. As far as IRC, depending on how that was conducted, it might or might not consitute installing unauthorized software. If you are installing mIRC against policy, that's no different than any other package... but if you are simply telnetting to a shell on a different machine, that probably didn't require the installation of new or unauthorized software (given the default inclusion of telnet in most desktop packages). If the CIA has a policy and these guys broke it, the commonplace nature of the violation does not make the violation less a violation. By the same argument, driving over the speed limit should exempt drivers from the speed limit as long as they are all doing it.
I do not have a signature
The article says:
The CIA is investigating 160 employees and contractors for exchanging "inappropriate" e-mail and off-color jokes in a secret chat room created within the agency's classified computer network and hidden from management.
And then it says:
If they were doing this with the KGB's computer system, we'd be giving them medals. Sadly, it was ours.
Umm, if they were sending around dirty e-mails and fart jokes around KGB computer systems, I doubt we'd be giving them a medal. I think it'd be more like "Why were you dicking around on their computer systems and not gathering information?"
And how come everyone who "thinks outside of the box" is automatically a geek and a hacker? Where I work (which is not the CIA), we reward people who think outside of the box, but we'll also fire in a heartbeat those people who abuse our systems, even if it's something minor. Why? The reason is that when someone abuses something for a harmless reason, there's no reason that they might someday cross the line and abuse it in a very damaging way. It's about responsibility and decision making capabilities. If they can't conduct themselves in a responsible manner, they're a potential liability. Whether they think "outside of the box" or not is irrelevant. Conduct and action do not have an effect on the ability to solve problems.
Frankly, I'm glad that the CIA is watching their internal networks and trying to maintain good employee conduct. I wouldn't want some care-free hacker in charge of maintaining information that, if put in the wrong hands, could endanger the welfare of the country, just like I wouldn't want some carefree hacker on my computer network doing things that could possibly make my work day more hectic.
if senior employees have keystrokes monitors, that means that all communication between them is 'official' and vetted by their back-of-the-head-lawyer. This should be devastating in an organization whose purpose it to evaluate and analize information.
There a tradeoff here between security and being able to successfully do the job. Out of fear of scandal and the desire to cover their ass the CIA has compromised its usefulness in the interest of security ( job security mostly).
At the end of the day, the price of this attitude is dead Americans in botched or badly conceived missions.
-- look, cheese ahoy!