Real Cyber-Spying

phr1 writes: "Kevin Poulsen has an article at The Register about a USAF sergeant arrested for emailing classified info to "Country A" (apparently Libya). The guy was something of a bozo, using free webmail accounts from locations near his home to email the stuff. It's an interesting read about a legitimate (for once) cyber-bust."

Re:Crypto-foolish

[Kryptonomic]

I mean, use a 2048-bit PGP key, and you'll probably be home free...

Unless, of course, the FBI gets a search warrant, raids your house and copies your secret key from your hard drive (or floppy disk, if you've tried to be that careful).

Or would they have to have a search warrant at all. Just carry out in illegal search, copy the key and just claim in court that you cracked the encryption using a new, classified method that cannot be revealed "for obvious reasons" (as in the keyboard logger case).

Is Intelink More Secure Than Enigma?

[cybrpnk]

The referenced article had a link to the best demo I've seen so far about the US Government's "separate" internet called Intelink that links intellegence agencies. This is where our spy got his material he tried to sell - online, not from an old-style combination safe. Intelnet is supposed to be totally isolated from the "regular" internet (yeah, right, anybody got a connecting URL?) but it's got 250,000+ users. How can the security on this thing be airtight enough to entrust US secrets to it? A few nights ago I watched the Nova rerun about Bletchley Park breaking the Nazi Enigma code and the point was made over and over that the Brits got toeholds into breaking the code by flaws in the way the Germans in the field actually used the Enigma on a day-to-day basis. Aren't we setting ourselves up for exactly the same thing with a quarter-million users out there? Yo, some Slashdot user who has access to this thing - tell us what administrative security is in force! Also, this guy went to his public library and logged onto free email accounts to transfer his information - what should he have done? What is the next way a spy will use the regular internet as an anonymous deaddrop more successfully than Sgt Regan?

Re:Is Intelink More Secure Than Enigma?

[grendelkhan]

The network itself is physically seperated from any other networks. The cabling and links are all a closed loop, it's just built using the same protocols and tools that the internet runs. The Register article mentioned that it now uses a digital signature file to restrict access to a "need to know" level set by the people who create user accounts.

The people who run this network are extremely paranoid about what you point out, so there are no access points that exist outside of secure installations. The network traffic itself is probably encrypted as well, but that's beyond my "need to know"

Re:Is Intelink More Secure Than Enigma?

[fatbastard1001]

First of all, don't send email to quaddafi@intel.mil.lb. That is good advice for anyone, not just spies.

2) Use one-time pads. A DVD full of geiger counter readings will do a better job of fooling the spooks than any method that can be brute forced. If it can be brute forced, they will do it. NSA pays the salaries of more math Ph.D.s than anyone else on the globe. The only problem with the OTP is ridding yourself of the traces of the plaintext and noise (the DVD itself and residual memory on your box)

3) Remailers, public and private. I would have Country B set up clean cover companies in third countries (those Scandinavian countries are good). Send your mail to katrina@fakecompany.fi, let it get bounced around and rehashed with static. This should slow down the spooks a bit.

I hope this would take care of the secure data transmission end.

Remaining problems:
-getting the goods (unless you're the boss like Hanssen, don't get any secrets you wouldn't normally have access to anyway)
-getting paid (diamonds in a ziploc bag are fun to have around, but how are you going to spend them? Hanssen drove around in a beat-up minivan, b/c all his "l3wt" was in jewel form, or in a "secret account" in the SovUnion. If you show up at the office driving a Maserati, eyebrows are sure to raise)
-getting away (eventually they'll catch up to you, so you'll want to leave before they do. Where are you going to go? Libya? Talibanistan? The Sudan?)

In conclusion, let me say that spying is bad. We're the good guys (well, compared to Libya and Iraq). Put 15% of your salary into an IRA, and when you retire, you'll have your pension & a cool mil.

Re:Crypto-foolish

[nabucco]

Your secret key being lost does not make the encryption readable. From the PGP FAQ:

http://www.uk.pgp.net/pgpnet/pgp-faq/faq-03.html #3 .10

3.10 If my secret key ring is stolen, can my messages be read?
No, not unless they have also stolen your secret pass phrase, or if your pass phrase is susceptible to a brute-force attack. Neither part is useful without the other. You should, however, revoke that key and generate a fresh key pair using a different pass phrase. Before revoking your old key, you might want to add another user ID that states what your new key id is so that others can know of your new address.

silly spies, DES is for kids

[beanerspace]

As someone who lives in the D.C. area, I run into alot of retired 20yr/career military types who are "double dipping" (local vernacular for someone taking a pension while working). I didn't realize spying was an option.

What I find most interesting is whow BAD a spy this guy was. Going back to the same account nine times ? Especially regularly using, and repeatedly ging back to local public libraries, where all activity is recorded and logged for just such abuses ? Where the library's access to the network is often via some other local government agency or educational institution ?

And the list of stupidity goes on. Including continuing with the same Modus Operendi after making the initial contact via the internet ... moreover, to do it in a town which is chock full of feds looking for the big bust. Man, this guy did everything but walk in front of the Hoover building with a sandwhich board that read "Hi I'm Brian. Come Spy with Me".

The entire incident is mind boggling and makes me wonder what type of security they're NOT teaching our USAF boys in blue.

How did they know about it?

[bat'ka+makhno]

What the article doesn't adequately address is the issue of just how the FBI first got wind of Regan's activity. It's an interesting question, one that should give pause to anyone considering providing information to third parties as a way of supplementing a meager government pension.

Come to think of it, the initial discovery steps are never addressed in the popular reporting of spy incidents, and since most cases either never make it to court or contain "sensitive material" that is not accessible to those not in the loop (that usually involves defense lawyers). Somehow though, I get the impression that foreign agencies are so thoroughly penetrated by American intelligence that spying against the US is a death wish. You will be sold out by your contact in Moscow or Tripoli who probably makes $100 a month and dreams of nothing better than retiring in the States with an American government pension. Either that, or the powers that be monitor all communications to an extent that even Slashdot readers would find unbelievable, so that anything even remotely secret that goes over the wire or the ether is read, catalogued and forwarded to the competent authorities.

Re:Crypto-foolish

[viper21]

That is exactly why I memorize my PGP key. Sometimes it takes me 2 minutes to type the whole thing in from a terminal.

It's a lot safer in my head. And if they try to MAKE me tell them, by the time I become submissive the numbers will jumble together and I will have forgotten it. Can a floppy do that? I think not.

-S

Re:Spies 'R' Dumb?

[gnovos]

Spend some time watching "The FBI Files" or another of those true crime shows. In every single case, the killer is caught either through

a) dumb luck (the cop, after five years of searching, bumps into the guy at disneyland or something)

b) dumb criminal (going back to the scene of the crime, going to the cops with some "new evidence" long after you were cleared, running directly to your mother's, girlfriend's, or best friend's house to "hide out")

I have no doubt that the spy game works the same way.