Slashdot Mirror
FBI Wiretapping Audit Secrets Uncovered Via Ctrl+C
mytrip notes a story in Wired's Threat Level blog on the latest boneheaded government moves with redaction. (We've been discussing redaction follies here for years.) This time it's an FBI report (PDF) on implementing CALEA — you can select text from redacted areas, copy it, and paste into a text editor, as University of Pennsylvania professor Matt Blaze discovered. From Wired: "Once again, supposedly sensitive information blacked out from a government report turns out to be visible by computer experts armed with the Ctrl+C keys — and that information turns out to be not very sensitive after all... [Among] the tidbits considered too sensitive to be aired publicly: The FBI paid Verizon $2,500 apiece to upgrade 1,140 old telephone switches. Oddly the report didn't redact the total amount paid to the telecom — slightly more than $2.9 million dollars — but somehow the bad guys will win if they knew the number of switches and the cost paid."
This is a classic example of secrecy being used not for national security but to avoid embarrassment. There are likely thousands of these types of secrets that cost money to keep but that are for no reason at all. Ass clowns.
Can we get a new category, like "Gallows Humor"?
Besides, we shouldn't be reporting on this stuff-- our only defense against this government anymore is its own monumental stupidity.
What confuses me is that, and I might be too generous in my assumption, I assume that there's an IT professional somewhere that looks over these released files prior to their release? I know that common sense is entirely too uncommon these days, but if I were to release a digital file (whether to an individual or the public) I'd make sure that someone from the IT department looked it over before release.
Otherwise it's like having a flu vaccine released by managers that went nowhere near an immunologist or virologist.
Still, I'm sure that, sometime soon, MS will remove the Ctrl+C combination. For national security, of course.
visible by computer experts armed with the Ctrl+C keys
The FBI is trying to trick me into thinking they're all stupid so they can find out where I've got the 500 acre marijuana farm with its fiftten thousand tons of marijuana in the barn, 500 beautiful hookers and the casino downstairs, where you can buy white lightning and moonshine.
Meanwhile, Osama's still loose.
Attention FBI: Look, dumbasses, print the damned thing out, black out the parts that embarrass the President and your Director with a magic marker and scan it to a TIF file (that's a graphics format, guys. Pay attention!) and "print" THAT to PDF.
But you already know that, you're trying to find my pot gambling hooker farm!
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
Now, I'm all up for good gov't conspiracy, and working for the gov't, I know how they spend inappropriately.
But there is something called the mosaic effect. The short of it is that you have two (or more) documents. None of them by themselves are sensitive, but as a group, they become sensitive because they give you a complete picture. It's quite possible that this redacted info gives that picture.
In addition, gov't entities regularly leave out the specifics like the number of switches because they do not want to demonstrate the scope of their operations. Not for any malicious reasons, but for what they perceive as a security risk. It might be a false risk, but it's not malicious.
yeah, you're 100%.
those guys were just involved in a dick-measuring "biggest nerd" contest.
Why, yes I have been touched by His noodly appendage. And I plan to sue.
The FBI paid Verizon $2,500 apiece to upgrade 1,140 old telephone switches. Oddly the report didn't redact the total amount paid to the telecom â" slightly more than $2.9 million dollars â" but somehow the bad guys will win if they knew the number of switches and the cost paid.
It's more likely that the total number is large and people go "ok must be a lot" but at 2.5k usd per switch people would go "how fucking much!!!" - that's what they may want to avoid
Jaj
how abused and misapplied all those "in the interest of national security" procedures are when there is no oversight in place. When will the legislators ever learn, anything that can be abused or misused, will be abused and misused in the absence of oversight? It's not even "might" or "is very likely". It always happens. It's human nature to take advantage for personal gain without risk. They censor anything that they want to, for any agenda, because they can. And this just exposes that truth.
Now watch how they react to it. Do they straighten up their censorship policies? of course not. They'll simply make the abuse harder to discover.
I work for the Department of Redundancy Department.
In other words, it's just another thing that Microsoft stole from someone else?
from an information security standpoint, this actually makes some sense. Allow me to explain. First, the high value number is going to show up in budgets anyway, so anyone who wants that number could already find it. It's hard to not have a few million dollars show up in the accounting somehow. Second, the reason the exact dollar value per part is usually redacted is that this is a giant clue as to the identity of the part used in the infrastructure. E.g. if I tell you I have a $300 mp3 player, then you know that I have an IPOD. But if I tell you that I bought a bunch of mp3 players and spent $100,000 then you don't know whether I've bought Zens, Zunes, ipods, sansas, or something else. And the problem with telling people what your infrastructure is made of who shouldn't know is that it enables them to focus on vulnerabilities for just that one device. caveat: I actually have a $10 mp3 player.
The actual cost of performing the service was likely redacted, not as a matter of national security, but because the pricing is contractually considered proprietary information .
Most companies include this as a standard clause in their master service agreements so that Joe's Barber shop isn't upset that Big Government Office is getting a different (presumably better) price for exactly the same service.
Now get off my lawn!
The reason to hide the cost per switch is to keep the negotiations invisible from other providers. Sure, you can report $2.9 million to Verizon, but AT&T doesn't know how many switches that was or the cost per switch. Maybe they worked out a cheaper deal with AT&T for, say, $2,000 per switch instead of $2,500. If AT&T knew what Verizon was getting paid, they'd hold out for more themselves. While it may seem silly to hide the details, doing so probably saves a little cash in the long run.
Of course, now, if they ever need to do more switches, I am betting every vendor will be holding out for the highest publicized price (or their own private price, if it's higher still). So, yeah, sometimes disseminating what you think is non-critical information will in fact cost us more in the long run. Revealing it may not make "the bad guys win" but it can definitely make the taxpayer lose.
Just my unredacted $0.02.
WWJD?
JWRTFM!