Slashdot Mirror
Obama Helicopter Security Breached By File Sharing
Hugh Pickens writes "A company that monitors peer-to-peer file-sharing networks has discovered a potentially serious security breach involving President Barack Obama's helicopter. 'We found a file containing entire blueprints and avionics package for Marine One, which is the president's helicopter,' says Bob Boback, CEO of Tiversa, a security company that specializes in peer-to-peer technology. Tiversa was able to track the file, discovered at an IP address in Tehran, Iran, back to its original source. 'What appears to be a defense contractor in Bethesda, Md., had a file-sharing program on one of their systems that also contained highly sensitive blueprints for Marine One,' says Boback, adding that someone from the company most likely downloaded a file-sharing program, typically used to exchange music, without realizing the potential problems. 'I'm sure that person is embarrassed and may even lose their job, but we know where it came from and we know where it went.' Iran is not the only country that appears to be accessing this type of information through file-sharing programs. 'We've noticed it out of Pakistan, Yemen, Qatar and China. They are actively searching for information that is disclosed in this fashion because it is a great source of intelligence.'"
Gee. That's a nice balanced summary, ahead of the histrionic response of "OMG file sharers are breaching national security!"
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Mit der Dummheit kaempfen Goetter selbst vergebens
Wohl so, aber warum denn haben die Goetter die Dummheit gemacht?
It is a serious question why God made stupidity if he himself has to contend with it.
Those are my principles, and if you don't like them... well, I have others.
I'm pretty sure that stupid/careless employees can leak sensitive information through P2P on any OS. I'm not aware that any of the OSX/nix installs search any less widely for shared folders than the Windows versions.
Stupidity is definitely OS-independent.
A lot of these P2P apps share your entire home or your entire computer by default when you first install them, it's up to you to go in and shut that stuff off, or at least define a specific folder to share from rather than the default.
Tagging this with "windows" isn't fair - it can affect any other system equally, this isn't a software problem, it's a user or developer issue. For example, I've worked on numerous macs with Limewire installed on them that are sharing all the user's music automatically by default.
I work for the Department of Redundancy Department.
Wow. BitTorrent is really freaking the control freaks out isn't it? I guess the Pirate Bay trial must be going worse than they thought....
Send your spendthrift head of state this
Should be *banned* for security areas. If you need 'outside' for a valid reason you provide a dedicated machine for that purpose.
Its pretty simple. That company should be fired, not just the fool that caused the leak.
And i don't care what OS it runs, anything less then the above is plain reckless.
---- Booth was a patriot ----
... and this is why you have draconian policies in many companies about installing ANY unapproved software. I've seen people complain about "just let me do my job" and install anything they want, but the fact of the matter is that it only takes one dumb-ass like this to wreak major havoc.
Sometimes it's best to just let stupid people be stupid.
Uh, data like this shouldn't even be on a computer with a physical link to the internet at all. Classified data should stay on classified networks. Period.
I know a guy at a defense contractor. They isolate their networks containing classified data. If they need to remove a file from the room they reimage a desktop with a known safe image, copy the file onto that PC from a CD burned from a classified PC. They then scrub the files with software that does stuff like wipe unallocated space, check for word versions, PDF comments, etc. Then that desktop is used to burn a new CD with just the intended files. Then they securely wipe the desktop. That one CD that was created in this fashion is then allowed to leave the room. Note that this is the gist of how it works - some details may be less than accurate (obviously I'm not privy to the exact procedures, but this is the general level of rigor involved).
Even if somebody installed Kazaa or its like on one of the computers in that room it wouldn't be able to leak data - there are no network connections that are attached to the internet. If somebody needs to check email or browse the web they leave the room (carrying nothing with them) and go to another desk in a regular office area, which has a fairly secure network but something more akin to what you'd find in any decently secured corporate network. Of course, installing kazaa in the first place would be difficult since you're not supposed to carry anything into or out of the classified areas - I don't know if they get searched at the door but you would certainly be fired and potentially prosecuted if you were caught doing it intentionally.
Important datacenters like those found in stock exchanges / etc are similar. The datacenter is secured, network access is very carefully controlled, and to do anything important you need to have physical access to a room with cameras pointed everywhere and every task involves two people at the keyboard at all times.
There is no excuse for these kinds of breaches. Strong security isn't actually hard. It is certainly expensive, and it is certainly inconvenient. However, it really isn't hard - you just need to be methodical.
employee?? The company should be toast.
---- Booth was a patriot ----
If I worked for US counterintelligence you can bet I would develop and plant fake leaks that sound just like this sort of thing. Then again, I may be giving too much credit. Occam's Razor prevails.
No chance.
There's an administration in place that understands that sacrificing our values to fight an enemy without values is self-contradictory.
Also I've discovered that quite often, the reason people want the ability to install software is precisely because they want shit they know they shouldn't have at work.
I work for a university, so there isn't a hard and fast rule on admin for users. We'd like that nobody has it, because there's less problems, but due to various reasons including academic freedom and research groups owning their own systems, we have to allow it when professors request it.
Now you might assume that the reason a grad student would want admin access is just to make their work easier. They can install software when needed, without asking IT. In some cases, that is it, though there is still software you have to ask us to install since it is centrally licensed. In other cases, there are software/hardware combos for particular research that just won't run without admin. So we certainly get some legit requests.
However there are more than a few grad students that get admin, and then set about installing shit they shouldn't. Normally we find out fairly quick because some of it tends to be infected with viruses. The whole reason they want admin is not because it'll make their research easier, but because they want to install P2P apps, Skype, and so on to screw around.
I'm willing to bet the same holds true at companies. I'm sure some people need software that IT doesn't install by default to make their job easier. However I'm sure other people want to install stuff that isn't work related, and that's why they don't ask the IT department to do it and instead insist on getting admin access. While some people might say "So what? People goof off at work, why not let them?" this shows the reason. The reason isn't that IT is worried about you goofing off, the reason is they are worried about security problems.
I'd like every program I run to be in a sandbox. For example, not having access to a single file without my permission.
It's pretty trivial to attempt this sort of thing with either Windows or any UNIXish OS. If you do, it shouldn't take long to figure out why it's completely impractical.
What sort of security depends on the secrecy of a helicopter's blueprints? Honestly.
Higher Logics: where programming meets science.
I am so tired of this sort of sensationalized reporting.
It's all part of an agenda, as I see it, about the "horrors of p2p technologies."
So let me get this straight, (at least, according to the headline).
"File Sharing" actually "breached" Obama's helicopter. How did file sharing accomplish such a feat?
Did file sharing hire some elite spies? Maybe some mossad agents?
What I think is that a company that manufactures products to snoop of file sharers has a great headline to
promote their business.
What the article REALLY amounts to, is that some defense contractor fucked up by not following security procedures.
if he had left them on a table at McDonalds the outcome could have been the same.
Hell....lose his/her job?
If they're lucky that will be all they lose. When you're doing DoD work for the Feds....you sign some pretty heavy forms about your responsibilities and the ramifications if you break them....accident or not.
If this asshole did this with what I would have to guess was secure information....putting these plans on a non-secure computer, that alone can get you some heavy legal problems, and possibly jail time.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Pretty much any kind of security. Keeping the blueprints secret means keeping the capabilities (range, speed, altitude) secret as well as keeping the nature of any active or passive defenses secret.
Now I know the Slashdot hivemind will respond with their usual rote mantra - "but security through obscurity is bad"... But on this, they are completely wrong. (Mostly because their notions of security consist of repeating what they've read by various talking heads.) Security through obscurity, as one layer of an overall security plan, is extremely valuable because the black hats cannot prepare in advance to meet a countermeasure which they are unaware of.
What's the problem?
*Industrial* hardware costs 10x what CheapoBrand desktops cost, why would military hardware cost the same as the next-lower-*category* of hardware?
Boeing 747s don't have to deal-with identifying oncoming aircraft within milliseconds, and launching strikes against 'em if they fail the FFI ( friend-foe-identifier ) challenge.
They don't have to be able to survive violently dodging attack.
They don't have to have 50 different kinds of communications so that NO MATTER WHAT information can get through, without being listened-in-on.
I don't understand how any geek, who knows the diff between server hardware & "consumer" grade hardware, could be shocked by the SAME difference in price being associated with the SAME increase in reliability/availability/servicability/capability.
No security measure is 100% reliable - not using a security tool because it isn't completely reliable is stupid.
well exactly. If a non-expert can bring down your helicopter using nothing more than information gleaned from a wiring-diagam of it, then you've got more serious issues to worry about.
Like for example, the blueprints of the base-model helicopter being public anyway (covering all the systems which keep it in the air, as opposed to the assorted crap installed as special-equipment that tends to have no effect on flyability other than being heavy and consuming power)
The problem you really seem to have is that somehow you believe you whole country comes to a stop when a president dies. They are just another elected official, they whole idea of commander in chief is crazy. The whole power base should be distributed with clear areas of responsibility and liability, less focus on the president and much more focus on all the other positions, positions which in reality should be by individuals who have been elected to a position of trust by the people.
The whole idea of random political appointments with only limited oversight is not really all that healthy and is readily abuses. At the very least all major positions within the administration should be filled by sitting members from the house of representatives, you are already paying them enough, why employ additional political hanger ons.
All decisions by the administration should be subject to to continual review by the supposedly 'representative' houses and in reality should reflect the views of many people rather than just one. You are no electing a King or Queen and in many countries the 'president' is just a figure head whose power is basically limited to ensuring that the rest of governments sticks to the legislated rules.
So lose a president should basically be just a 'whoops', replace them with another and the system keeps ticking along fine, where one person can have such a profound influence over everybody else's lives even for just eight years is really wrong and people will suffer for it, as the recent past has clearly demonstrated.
Chaos - everything, everywhere, everywhen