Slashdot Mirror
Data Breach Exposes RAF Staff To Blackmail
Yehuda writes "Wired reports, 'Yet another breach of sensitive, unencrypted data is making news in the United Kingdom. This time the breach puts Royal Air Force staff at serious risk of being targeted for blackmail by foreign intelligence services or others.
The breach involves audio recordings with high-ranking air force officers who were being interviewed in-depth for a security clearance. In the interviews, the officers disclosed information about extra-marital affairs, drug abuse, visits to prostitutes, medical conditions, criminal convictions and debt histories — information the military needed to determine their security risk.
The recordings were stored on three unencrypted hard drives that disappeared last year.'"
All the money that their government has goes to buying moats and other fun things for the MPs.
"I have never let my schooling interfere with my education." --Mark Twain
If I didn't know that, alas, such mind boggling stupidity was all too possible, I might think that "losing" these had to be some kind of set-up, and the recordings fake.
-- Alastair
why didn't they just encrypt the disks? If it's supposed to be sensitive information, store it securely!
Note: I was 13 when I wrote most of this. Take with several grains of salt.
...doesn't this kind of mute the blackmail angle for the RAF security?
Slashdot is missing a "like" button ..
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
"Ummm..."
These are the same idiots who are putting surveillance cameras everywhere, fingerprinting and taking DNA samples from musicians who are simply visiting the UK to play in a few clubs (then denying them entrance because the clubs hadn't paid a fee and agreed to report on them), and generally acting like fascists.
They're great at grabbing reams of private information they would have no right to if Britain were still a free society. Protecting it from unauthorized access? Not so much.
Goddamn wankers!
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Probably the reason they want to know about hos and dope is to assess their vulnerability to blackmail in the first place.
the officers disclosed information about extra-marital affairs, drug abuse, visits to prostitutes, medical conditions, criminal convictions and debt histories -- information the military needed to determine their security risk
If yes to any of the above do you want these as officers? Even the extra-marital affairs in most circumstances provide proof that the person is capable of disloyalty.
The real problem is if they have done any of this and don't admit to it, they're disloyal, liars that shouldn't be given clearance. If they do admit it, they're too stupid to be in a position of authority. The only way time you want to ask these questions is if you know the answer in advance and the answer is "squeaky clean".
These posts express my own personal views, not those of my employer
So they won't notice the drugs and hookers passing through the Lords. Which I'm sure is of much higher quality. And a far bigger turn on to read about. Oooooo, the excitement already has me "standing for the Queen".
Todos mis movimientos están friamente calculados
It seems to me that many organisations would consider payroll, health and other HR info as private and hence restrict access to it on the network, but they wouldn't consider encrypting it with a passowrd - well at least nowhere where I have worked. ...
And perhaps military institutions consider attack plans, weapons secrets and such as worthy of protection but not an "inteview" that we did "ourselves", "inhouse".
We are learning more and more that this is a connected world - yes even your fridge will have an IP address and be on the net one day mark my words and EVERYTHING will need to be encrypted. Encryption grammar and other security verbiage will be second hand speak for moms and kids
"have you packed your lunch"
"Yes mom"
"And MD5 SSL'd your homework via the kerebos LDAP certificate server? You know what happened last time when Mr Jones found your SSH key unencoded on the SELinux partition - I don't want to go through that again"
"Arghh yes mom I have been over this 1000 times with you let it go - my friends and I were scanning photons of the prom dance when James accidentally Bluetoothed a letter from his brother in the army to Amy's communication jewellery which had a compaible 3DES encrytpion algorithm - now will you let it go!? Shees!"
"I'm just saying is all - I have to go and buy some groceries and when I scan my embedded subcutaneous barcode it better not say that I have been SQL Injected because of a bad CRC checksum - I won't be embarrassed like I was the last time"
http://projectleader.wordpress.com
(n/t)
Someone wanna explain to me how drug-using hooker-banging ex-cons are OFFICERS IN THE ROYAL AIR FORCE?
"extra-marital affairs, drug abuse, visits to prostitutes, medical conditions, criminal convictions and debt histories " - sounds like a viral marketing campaign for the RAF if you ask me - who knew that they had so much fun! I suppose the word 'raffish' had to come from somewhere.
Good to see the Brits have as bad a security as we do.
Annual reports from Whitehall departments show that the government has lost all data it ever held on anyone.
Losses have occurred through couriered unencrypted disks, misplaced memory sticks, lost laptops, briefcases left on trains and files falling down the side of the tea machine. "The real scandal is that a train was running for them to lose a case on," said a source whose name has been lost.
Treasury minister Jane Kennedy said the HM Revenue and Customs breaches did not necessarily result in data losses, or at least any that they have records of. HMRC said it takes data losses and security breaches "very seriously" and thoroughly investigates any breach that it does not lose track of.
Information Commissioner Richard Thomas has served enforcement notices on various departments for their data losses, but the departments in question could not find their office addresses to accept the notices. They noted, however, that Mr Thomas' call was very important to them, and that he had been placed in a queue.
Home Secretary Jacqui Smith reassured citizens that plans for an all-encompassing ID card linked to biometric passports and a universal medical record with the NHS would not change because of these losses. "We won't even be thinking about them."
http://rocknerd.co.uk
Has anyone important in the UK not been exposed in the tabloids?
How did we go from "three unencrypted hard drives that disappeared" to it being a "data breach"?
Yes, they should have been encrypted and yes, they should not have disappeared. For all we know some idiot stole them reformatted them and now hold their pr0n collection at home. Or the wrong ones were picked up for destruction and they have actually been securely destroyed.
Really, the media and everyone here is getting their panties all in a twist and coming up with fantastical hypothetical situation when the most likely scenario is nothing bad will come from this as it rarely does.
This was in BBC news at the beginning of the week! Come on, Slashdot!
I guess the British government is now following the principle of "information wants to be free". :P
> Someone wanna explain to me how drug-using hooker-banging ex-cons are OFFICERS IN THE ROYAL AIR FORCE?
Well, they can't all go into politics.
"They're great at grabbing reams of private information they would have no right to if Britain were still a free society."
When were we ever a free society? When has any country been "free"? I suppose there's a philosophical discussion to be had here but I get the sense that
Interested to hear when you think the UK was a 'free' society. It would have to probably be after 1928 - universal suffrage, before then women under 28 couldn't vote so they weren't very free. Couldn't be 1939 - 1952 as we had identity cards then. Interested to hear your definition of 'free'.
cheers.
You want to read some history books (and sometimes even the newspapers) about what our nobility and occasionally royalty have got up to over the years.
All Royal Air Force staff involved can thus forget about any clearance at all since they can be blackmailed.
I guess the military should compensate said personnel for loss of career possibilities and of course improve their data protection/storage/etc policies.
ah, the good old "tell us everything that would be useful for blackmailing you and we'll write it all down" method that RAF use for doing security-clearance... just trust us with all your embarassing secrets - what could possibly go wrong?
.
Keep it in your head. There is no such thing as absolute security, therefore there is no such thing as security. If you don't want to share something, don't share it with anybody.
.
blog me no blogs
So losing sensitive data "last year" is only being reported now as a problem!?
I hope that between losing the material and reporting it (several months later), some action has already been taken to minimise the potential for blackmail. ...or were they waiting a certain length of time to see if it turned up somewhere or was posted back to them before panicking.
(I would say that I hope action has already been taken to prevent this from happening again, but I'm not that naive)
I worked for a while in this area. If you want to get rid of a failing, and very expensive, defence project, the best way to do it is to have an 'accidental' security stuff up. That way you can ditch the failed program under the guise of 'national security' rather than incompetence, mismanagement, and the various other real reasons for project failures. This also means the project managers usually get off from being completely incompetent. Rather than have a failed project, they have a security breach, which is often investigated and forgotten about with a slap on the back and a guffaw (especially if the member is a part of the boys club).
It wouldn't surprise me if the stuff up was part of some Machiavellian back room defence politics. The old canard that civilians (especially on /.) state about choosing incompetence over conspiracy can be thrown out the window when it comes to national security and defence. Many of these individuals realize they have a system that can be exploited for their own personal gain if needed.
3 basic problems with in depth vetting:
1 - someone else gets to know your secrets. Yes, it's to establish which they have to watch to make sure you're not blackmailed, but there's in principle nothing to stop the abuse of that internally. I would have said "ethics" earlier, but you can call me either a realist or a cynic now..
2 - deficient security. As long as a whole government can get away with frankly shameful failures of confidentiality (unsurprising as it is for a setup that depends on spin and leaks to test and influence public opinion) there is nil incentive to do it right. Or, put another way, "good enough" isn't.
3 - you end on a neat, handy short list of people who may know interesting stuff. Translated: the issue (2) above results in you and your family having a target painted on your back, either as someone worth torturing for info or for killing in grotesquely painful ways.
However, be aware that those who ask very much think it's an honor to offer it (to be fair, it's quite a vote of trust), so expect them to be SERIOUSLY pissed off with you for saying "no", but the basic question is not if they trust *you*.
With "them" being an ever changing variable, the question is if you can trust *them*.
This has nothing to do with the Regulation of Investigatory Powers Act. If some ne'er-do-well has stolen the hard drive, RIPA is not going to entitle them to the key to decrypt it, nor does it make encrypting it in the first place illegal! CESG ( http://www.cesg.gov.uk/ ) assesses a wide variety of cryptographic products as to their suitability for handling protectiveloy marked information, and some of these are restricted to HMG use only!
The paper forms for Developed Vetting themselves are marked "RESTRICTED STAFF (when completed)". See http://www.cabinetoffice.gov.uk/spf/faqs.aspx for information about protectively marked assets, and the DV forms themselves at http://www.hmgcc.gov.uk/clearance.aspx.
Please, if they have an ounce of backbone, they will tell them....
"so what....what's new with this, look at our prince William, hell, if you haven't rung him out to dry, why start now?"
The government efficiently collects all the data possible, assembles it together, and leaves it sitting around where outsiders can steal it. It sure reduces the workload for the criminals!! Hey, crooks have rights too!!
Seriously - every one of these big brother data collection efforts is a sign that the politicos have their heads up their arses. It doesn't do the good guys any good, and it does the criminals no harm.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
The real question is, do any of these recordings detail the rampant cannibalism that continues to plague the RAF?
Yours etc.
Captain B.J. Smethwick in a white wine sauce with shallots, mushrooms and garlic.
There are some people that if they don't know, you can't tell 'em.
the officers disclosed information about extra-marital affairs, drug abuse, visits to prostitutes, medical conditions, criminal convictions and debt histories
First: So the RAF works just like Scientology?
Second: Hey! If Scientology can keep all *their* blackmail info secure, why can't the RAF?
Third: Maybe the RAF should hire Scientologists to secure their data
Fourth: Kate Beckinsale in Underworld.
Fifth: REDACTED CLASSIFIED
The 1990s - well, as long as you didn't mind that the Criminal Justic Act (1994) came into being. This made it legal for the police powers to stop and search, without any reason, any vehicle or person, and keep DNA from anybody arrested. No right to public demonstrations any more. No right to public gatherings above ten people if the police suspect they are going to go to a party. No right for more than two people to gather together if the police suspect they might organise a party.
Don't forget the Community Charge aka the Poll Tax either.
You see it went like this:
They've got this vital data to back up, they want to do it right so they search the Internet for solutions. They come across this guy, Linus Torvalds, sounds like a stand up old chap. They follow his advice, but they don't know what an FTP server is; it's got "serve" in it so they logically assume it's a pub. They then proceed to mirror the data to every pub available and consider themselves "Real Men". Problem solved!
the information you provide to a government to convince it that you are sufficiently trustworthy to handle *their* secrets is not one of their official secrets (i.e. it's "unclassified") and they won't let you assign a security classification to *your* secrets.
Doing it in the UK and doing it outside the UK are completely different things.
I've been interviewed for clearance. If the government knows your secrets, there's a belief that you are less likely to be blackmailed. There is some logic to that. I know that the government knows things about me that my wife and family do not know. It would be embarrassing if they found out. The level of protection I'd pay to prevent them from finding out ... well, that's the question, right?
I prefer extortion. The X makes it sound cool. -Bender
Since they didn't protect that information, shouldn't they have to pay off the blackmailers?
No one has talked about the purpose of these interviews.
It's unlikely any of the disclosed information could be usable for blackmail in any way.
The purpose of a government agency obtaining all possible blackmail information about you is to prevent you from being blackmailed with the information under threat of disclosure of said information to your employer (the government agency). The safest answer (for the agency) to such an external threat is the target of the blackmail being able to say "they already know".
Most likely, the information disclosed will not in fact be usable for blackmail, as the article suggests, if the information was considered to have been mitigated sufficiently for the clearance to have been granted. If the information was not mitigated, then there would not have been a clearance issues; in that case, it might be a problem for the officer in question, but it won't impact their ability to do the job for which they were cleared to do.
For example, if an officer engaged in an extramarital affair, but had disclosed that information to his wife, then the information could not be used as blackmail fodder in an attempt to coerce the officer to not perform their assigned duty. If the information was not disclosed to his wife, then the officer would probably have been denied a clearance, and could face restrictions on their military duty, up to and including discharge from the military, to prevent that information being used to cause the officer to act as the attacker/enemy wanted during a conflict situation.
It might be a problem unrelated to any national security concerns for the officer who disclosed unmitigated information, but it's actually unlikely that the information would not be disclosed unless it was apriori mitigated (unless the officer was "plain stupid").
The US criteria for denial and mitigation for reasons of denial is:
http://www.smdc.army.mil/adr/adjguid/adjguidF.htm
and I can't believe that the RAF criteria would be very different.
-- Terry
"It does if you use NTFS file encryption in Win2k, XP, Vista, 7."
Is that on by default? Or does turning it on require competence?
-- Terry
Why? This kind of blackmail-worth information is just begging to be leaked, lost, abused, stolen, accessed or subject to salacious gossip. Given the eventual likelihood that this kind of recording could be leaked or lost, and the potential damage to the personal lives of individuals admitting to their transgressions IN THEIR OWN VOICE on a tape, what idiot thought it should be stored?
`Because we could' is no excuse. If data doesn't exist, it can't be stolen, lost, leaked, or used for blackmail. Now the RAF has to deal with the potential of blackmail, and the loss of trust. Who is going to be as open about their secrets, secrets that the RAF needs to know in order to maintain their security, when each interviewee knows that a full voice recording could be kept, and might be played on the six PM news. And the golden turd is awarded for trying to cover it up, even from their own superiors.
The only information that cannot be lost is that which has been destroyed.