Slashdot Mirror

← Back to Stories (view on slashdot.org)

CIA Chat Room Violates The Company's Policy

Posted by ryuzaki0 on from the should'na-dun-dat-fellas dept.

code_rage writes: "An article in the Washington Post says that some 160 employees and contractors of the CIA are being investigated for operating an unauthorized chat room. Two of those accused are "innovative, out-of-the-box, unconventional thinkers - these are essentially the hackers of the CIA, in the most positive sense of the word." The article raises issues of national security, workplace monitoring, and worker's legal rights. Although security was not compromised in this case, the prospect of unauthorized software running on secure computers might be a little troubling. The article says that senior employees have a keystroke monitor installed on their computers. The 5-day timeline demanded by The Company for response to accusations, seems to preclude the employees the ability to consult with legal counsel, given that clearances take months to be approved."

18 of 126 comments (clear)

  1. Getting the best out of people by jesterzog · · Score: 3

    One or two employees and I could understand an investigation like this.

    CIA or not, if 160 employees decide to break the rules in this way, isn't it just a sign that their employers aren't providing them with the (legitimate) resources to do their job effectively?

    They could restrict these people and not get the best out of them, or they could work out a compromise. Since a lot of people are going to be watching this and it'll be setting an example to big dumb executives everywhere, I hope a compromise is what happens.


    ===
  2. Human nature being what it is... by Cowardly+Anonym · · Score: 3

    "The serious thing for us is people willfully misusing the computer system and trying to hide what they were trying to do..."

    Of course they tried to hide what they were trying to do! What would have happened if they had gone to the brass and said, "Um, we'd like to set up a chat room on the computer network. Don't worry, we won't let anyone in without an invitation. And we certainly won't open up any security holes. Okay?"

    For obvious reasons, CIA employees are required to abide by very strict rules governing, among other things, what they may and may not do, who they may and may not talk to, and where they may and may not go. These rules are meant to be followed to the letter (the former director who used his home computer to create a top-secret document notwithstanding). Any violation of these rules means that security may have been compromised. I'm sure that potential security breaches worry the CIA brass just as much as actual ones, because when you find a hole, you really can't be certain that something didn't get in or get out through it.

    Unfortunately, the above rules conflict with basic human nature. We are inquisitive animals, and we want to explore systems, whether they are computer systems, social systems, philsophical systems, etc. As soon as people are told not to do something (especially if they aren't told the (real) reason for the rule), they become even more interested in the forbidden behaviour than they were before. If you restrict a person's freedom to explore, there is always the chance that he will go ahead and explore anyway, and if he's smart, he'll go to great lengths to avoid detection of his activities. (Hmmm ... sounds like one of the prerequisites for becoming a spook. Maybe they should give these guys medals.)

    I'm not really surprised that this happened, but if the CIA were really as paranoid about security as they should be, this would have been uncovered much sooner.


    --
    Yqy...K ecp'v dgnkgxg aqw cevwcnna vqqm vjg vkog vq vtcpuncvg oa uki. Kh aqw vjkpm vjku ku tkfkewnqwu, tgcf oa dkq.
  3. Re:Why punish their best people? by BrianH · · Score: 5
    I agree that it would be rather dumb to fire someone over this, but disciplinary actions are deserved.
    1. The CIA network, by its very nature, must be one of the secure LANs in the world. By installing unapproved software on an unapproved server, they may have inadvertently placed the security of the entire network at risk. While the article dosn't specifically mention what software was used, I seriously doubt that a security audit was performed on the source to verify that it wouldn't open up any holes.
    2. The chat room created the potential for inadvertent security leaks by allowing unmonitored communications between non-authenticated personnell. Think about it this example, two CIA buddies regularly converse via this chat room during their lunch hours. One day, someone else (either internal or external to their network) gains access to the chat room and masquerades as one of the two regular users. When the other guy comes on, he sees the screen name and automatically assumes that it's his buddy, mentally placing him in the trusted category. Now, when this guy asks him what he's doing today, he probably wont think twice about telling him. Voila, he's just breached national security without realizing it.
    As I said above, these guys should be disciplined, and they should probably be forced to re-take the security training classes, but they have showed creativity by solving what they saw as a communications "problem", and by keeping it operational on a heavily secured and monitored network for over a year without detection. These sound like the kinds of guys who would make excellent electronic intelligence agents.
    --

    There is nothing so pathetic as seeing a beautiful young theory roughed up by a tough gang of facts.
  4. Understanding a classified network by lkaos · · Score: 3
    What this article doesn't point out is the difference between a classified network and a normal network. On a classified network there are both unclassified and classified accounts. All software installed on a classified computer must be approved for use on the network. This often requires a strong investigation into the security of the program. I work for a defense contractor and we had a very hard time getting emacs installed because it had to be proven to be secure. If a person on an unclassified account was able to exploit this apparent hacked together chat program running on a classified account, then he could theoritically gain access to classified data. The threat is real and there is usually a seperate network that is unclassified that is open to the internet which should of been used for such a system. Something that is rather interesting is that Internet Explorer is considered to "insecure" to be used on both an unclassified network and classified network.

    Although it might not seem right at first, these employee should be punished as this was a true security violation. The best way to secure a network is to not to avoid things that are known to be unsafe, but only allow things that are known to be safe.

    --
    int func(int a);
    func((b += 3, b));
    1. Re:Understanding a classified network by bellings · · Score: 3

      Another problem with Emacs is that noone is there to guarentee it's security.

      Has anyone ever actually tried to audit Emacs for security?

      Has anyone made any real effort to assure there aren't any dumb bugs in, say, the emacs built-in news reader that might allow a malicious news message to run arbitrary emacs code? Are we sure there aren't any bugs in Emac's C source parser, formatter, and x-ref facility that might allow arbitrary emacs code to be run? Has someone checked the vi emulation package with a fine tooth comb? What about the built in mail reader? What about the built-in Zippy the PinHead quote generator? What about the Eliza package? What about the Emacs web browser? Do I have any assurance that a malicious web page can't run arbitrary emacs code? What about the Emacs Slashdot reader? Is that secure?

      I guess what I'm saying is that Emacs is a huge beast of a program. It contains its own nifty little byte code virtual machine with a lot of nifty hooks into your environment, and its own nifty lisp compiler that targets that virtual machine, and its designed to be easily extendable by its users, loading and running new code into that virtual machine at the drop of a hat. Its a great program if you like to reprogram your editor while you edit. Heck, you can even easily let your documents reprogram your editor, if you use the file-local-variable stuff. But has anyone examined Emacs closely to determine if any of the things Emacs does are all done securely?

      --
      Slashdot is jumping the shark. I'm just driving the boat.
  5. Shhhh.... by SEWilco · · Score: 5
    "Hey, I think the boss knows about this."

    "Don't be paranoid, what do you think this is, the NSA?"

    1. Re:Shhhh.... by atrowe · · Score: 4
      (Boss walks around the corner and catches a glimpse of your screen)

      "Just what the hell are you looking at? Is that a picture of a man spreading his asscheeks?"

      --

      -atrowe: Card-carrying Mensa member. I have no toleranse for stupidity.

  6. Get back in your box *thwap* by fjordboy · · Score: 3

    "innovative, out-of-the-box, unconventional thinkers
    Someone at our government being unconventional? whoa....whoda thunk it?

    But really, these people work at the CIA, did they think they wouldn't get caught? or were they expecting to lose their laptops before they did get caught.....

    --
    The anti-salmon
  7. Why punish their best people? by Tor · · Score: 4

    Seems like these guys are really good resources to understand and deal with computer crimes and other computer-related operations. Why would CIA want to criminalize them, leaving only meek people behind? Sure, that's gotta make them more savvy and efficient as an organization.

    Seems to me that what these people were doing is pretty harmless from a national security point of view. If their management does not trust their intentions and their judgement skills, they should not have hired them in the first place.

    Now, instead, they will make CIA an organization only for dead weights.

  8. Re:Two ways to see it by 91degrees · · Score: 3

    I'm more of the "What the hell did they think they were doing" mind. You seem to mention that the CIA is "not your standard business" as an aside. I think its the most important point. These people should expect to be spied on. They are in a highly trusted position. These machines should be as secure as possible. Running unauthorised software on it, even a home written version of "Hello World" should not be allowed. These are key machines. They should be as secure as is humanly possible. The rules should not be stretched, bent, or broken, no matter how stupid. These people should be perfect. They should not have any privacy from their employer, and they should accept that.

  9. And the chat room's subject would be.... by MathJMendl · · Score: 5

    seineeW erA srekcaH IBF

    --


    "I have not failed. I've simply found 10,000 ways that won't work." --Thomas Edison
  10. Not a surprise by Amigori · · Score: 4
    On the government computer systems that I help administer, we find unauthorized software on our systems on a daily basis. Our users are required to sign User Agreements that say do not install any unapproved software, but they do it anyways, always thinking they won't get caught. Unfortunately for us, when they do get caught, management usually dismisses it, saying we are a customer based organization and the customer, no matter how stupid and wrong, is always right. They always go free with no punishment. I don't think these people will be so fortunate. The programmers who did this should be promoted, while the management should be fired or relocated to a "radar tower in Alaska."

    I found it interesting, that the article said, "...which CIA investigators discovered while performing routine computer security checks..." Then later said, "...'This activity has apparently been taking place for some time...'" If it was a routine check, then shouldn't they have caught it before it got out of hand? The only reason they didn't, that I can think of, is they wanted to catch the guilty parties involved. I don't feel sorry for any of the parties involved because they breached their contract.

    --
    "The quality of life is determined by its activites."--Aristotle
  11. Re:Two ways to see it by T-Ranger · · Score: 3
    Exactly.

    As the Captian from Chrimson Tide put it so elequently:
    were here to defend democracy, not uphold it.

  12. Policy by jjr · · Score: 3

    Hey this violates the CIA policy then they should get repremaned. At any job if you use the computer for non work related items without permission then you will get in trouble. Hell this is the CIA. I am not surprise they are finding themselfd without a job.

    1. Re:Policy by atrowe · · Score: 5
      "At any job if you use the computer for non work related items without permission then you will get in trouble"

      Wait a minute? Is Slashdot considered work related?

      Gotta go!

      --

      -atrowe: Card-carrying Mensa member. I have no toleranse for stupidity.

  13. "Media Making Big Deal Out of Nothing" by Dwonis · · Score: 3

    It looks like simple security policy enforcement to me.

    Think about it: they ran a public server from an internal network that has access to sensitive information. This is very bad, security-wise. What would happen if somebody outside rooted their box? Depending on the information that could be accessed, people could die because some morons were running some IRC server.

    This wouldn't be the first organization that's fired employees for breaking the security policy. This story fills me with nausea.
    --------
    Life is a race condition: your success or failure depends on whether you get the work done on time.

  14. Virtual Water Cooler by Detritus · · Score: 3
    I'm sad to see that, as usual, the control freaks of the world are eager to lynch anyone who makes "unauthorized use" of a computer.

    I'm just waiting for the day when everyone gets a neural implant that automatically detects non-business related thoughts during company hours. After all, we provide the air that you breath. It is against company policy for anyone to have independent thoughts while breathing the company's air.

    Just because you can legally treat your employees like serfs doesn't mean that you are obligated to do so.

    A smart manager might ask, Why was this software installed and why was it so popular?

    --
    Mea navis aericumbens anguillis abundat
  15. I'm Missing The Problem by Hrunting · · Score: 5

    The article says:
    The CIA is investigating 160 employees and contractors for exchanging "inappropriate" e-mail and off-color jokes in a secret chat room created within the agency's classified computer network and hidden from management.

    And then it says:
    If they were doing this with the KGB's computer system, we'd be giving them medals. Sadly, it was ours.

    Umm, if they were sending around dirty e-mails and fart jokes around KGB computer systems, I doubt we'd be giving them a medal. I think it'd be more like "Why were you dicking around on their computer systems and not gathering information?"

    And how come everyone who "thinks outside of the box" is automatically a geek and a hacker? Where I work (which is not the CIA), we reward people who think outside of the box, but we'll also fire in a heartbeat those people who abuse our systems, even if it's something minor. Why? The reason is that when someone abuses something for a harmless reason, there's no reason that they might someday cross the line and abuse it in a very damaging way. It's about responsibility and decision making capabilities. If they can't conduct themselves in a responsible manner, they're a potential liability. Whether they think "outside of the box" or not is irrelevant. Conduct and action do not have an effect on the ability to solve problems.

    Frankly, I'm glad that the CIA is watching their internal networks and trying to maintain good employee conduct. I wouldn't want some care-free hacker in charge of maintaining information that, if put in the wrong hands, could endanger the welfare of the country, just like I wouldn't want some carefree hacker on my computer network doing things that could possibly make my work day more hectic.