Slashdot Mirror
When Your Backhoe Cuts "Black" Fiber
bernieS writes "The Washington Post describes what happens when a construction backhoe accidentally cuts buried fiber so secret that it doesn't appear on public maps — and what happens when the Men in Black SUVs appear out of nowhere. Apparently, the numerous secret fiber and utility lines used by government intelligence agencies are being dug up with increasing frequency with all the increased construction projects in the DC area. It's amazing how quickly they get repaired!"
There are reasons why it's important that public records are kept.
If they wanted to keep people from knowing where or what exactly it was, they could simply have marked it as something it wasn't.. and beyond that, they could encrypt what goes on that fiber.
They aren't without options; and ultimately they're currently fighting the system, and putting our tax dollars to work in ways that could be prevented.
It's understandable that they want to keep secrets secret, but isn't covering it up going to draw more attention than fudging the paperwork?
There are no perfect answers, only the right questions. More questions at http://foresightandhindsight.blogspot.com/
And who do you make the check out to when you do cut it? Or would a 'Hey, how the hell can we know when we cut a top secret fiber? How we supposed to know it's there if it's top secret and we don't have clearance???' defense work in court when the other guy's lawyers come at you for damages?
Understanding the scope of the problem is the first step on the path to true panic.
Having seen lines ran in pressurized pipes (pressure drop... alarms) and break location by reflection it doesn't shock me at all to see this; being spooks you would think they would use easements or dig deeper than usual
to secure such things, but like most work I bet it was contracted out to the cheapest labor they could trust.
I will say though, not listing the location suggests much; if they are afraid that someone could tap into fiber without detection it most likely means they are already doing so, sometimes the thing you fear the most reveals much about your current state.
Unix, an obscure operating system developed by bored researchers in an attempt to get a better game playing experience.
At&t
Unix, an obscure operating system developed by bored researchers in an attempt to get a better game playing experience.
Up the tax payers ass, naturally.
Life is not for the lazy.
If that is really what the line was for, then nobody would have told you that's what it was for.
With all this, wouldn't Washington have some sort of department that all construction plans have to be submitted to, and the lone guy with security clearance compares the construction zones with secret lines/locations? I would think this would save a lot of time and hassle and, considering how the government likes to create useless jobs, am surprised that it doesn't seem to exist (but not surprised if it does exist and they just don't do their job right).
Pretty crazy. Makes me happy I don't live near there.
Why? Because you'd somehow be inconvenienced when the NSA's fiber optic cable gets accidentally severed?
Jeez... if you're going to try for a first post without being a troll, at least have something intelligent to say.
If I were trying to keep a cable secret, I'd make sure the real cable was clearly recorded on the maps as something totally innocuous and not connected to anything secret at all. If it got cut, it'd get repaired per normal procedure for the kind of cable it's marked as (and I'll have sufficient backups that I don't need to make the repair an attention-grabbing rush job). Then I'd lay a few completely unused but highly suspicious-looking decoy cables, making sure they occasionally got cut and that there was a suitably public trying-to-look-not-public scramble to repair them. That way anybody trying to find my cables was likely to glom onto the ones I was trying to keep hidden, and probably wouldn't even bother looking at "backup equipment monitoring line, sewage pumping station 37, Department of Public Works".
fiber optic bundles have a copper core so they can be found by magnetic detectors (and the "blue stake people") to avoid being hit by a backhoe strike. It's more unlikely that the contractor failed to check for the cable than the Federal Government has special backhoe-attracting cable.
Then again, if they were trying to keep it secret, odds are they would have laid fiber without the copper core so it couldn't be found by magnetic detectors.
... This doesn't sound like it really happened. Within moments someone came. Yeah, right. There is NO way to have turn-around that fast and still stay inconspicuous. They would have to be a local and very conspicuous outfit, which defeats the purpose of having a black-ops in the first place. All that withstanding, an incident usually has to go up a chain, a with human links connecting the automated ones, and there's no way in hell most outfits, let alone the government can get humans orchestrated that effeciently. This is all mostly or entirely lies, I'm pretty sure.
Your comment is a contradiction. On one hand, you say by not acknowledging the cable's existence, the cable is insecure. The better solution, is to acknowledge the cable (that apparently no one knows about) because then no one will know about it because its existence as a 'secret' cable will be.....wait for it.....obscured by the fact that there are other cables! Ta da! You've invented a new form of 'security' by 'obscuring' the cables existence. Bully for you.
"Security through obscurity" is a catchphrase that somehow implies that obscurity is on its face an invalid tool. It's not. It never will be. Ever. If it wasn't, infantrymen would be running around in fashionable day-glo orange jumpsuits with pretty pastel helmets. "Security through obscurity" is *only* a bad thing when it's the only means used to secure something When used in conjunction with other methods and tools, it's a great benefit.
Example: Set up a public facing SSH server on port 22. Watch what happens to your log files after about 24 hours. They'll start filling up with break-in attempts. Now move the server up to a non-registered port. 99.9% of those break-in attempts disappear. Why? The bots don't see an active server, so they move on. Can the service still be found? yes. Can the bots start hammering away on the new port? yes. But, by obscuring the port that SSH listens on, have I made the machine dramatically more secure? Maybe not dramatically, but it's slightly more secure. I still need to enforce password policy. I should still install a tool like Denyhosts. But I've taken a huge step to cut down the chances that some bot will get lucky and crack a login/password in a drive-by attack.
I'm going to go out on a limb and say that the links getting cut have some level of redundancy. Somewhere in the planning stages, this kind of event has to have come up, and I'll put money on there being a contingency in effect.
There are some people that if they don't know, you can't tell 'em.
All security measures rely on obscurity to ensure that security.
You don't believe me? Give me all your private encryption keys and see how long your cryptographic solution resists attack.
Don't want to? That defeats the point? Bingo, that's obscurity right there.
"It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
I have to say, reading the original article, I was reminded about the story about the fully-mobilized North Korean army sitting in trucks with the engines running, ready to invade South Korea at a moment's notice. Good scare story, completely false. If a line gets cut, and it is for anything important, you have a redundant route, so no crisis. You then send a normal maintenance crew out to take care of the one that got cut. If it isn't important, no crisis, so you send out a normal looking maintenance crew. You don't send out a crew of guys in an SUV to blow cover.
You've created a defense that would defeat an unsophisticated attacker.
You can stop right there. I've created *a* defense. Obscurity is a *level* of defense, that's all it is. No, it's not going to hide the machine from someone who's adding -p 1-65535 to the end of their nmap scans. It's not going to magically protect me from someone trying to crack my particular server if I haven't patched a known exploit. It will protect me from the most basic attack, worms, that are looking for basic configs. How many SQL worms are out there banging away on port 1414? If I'm running a vulnerable server on port 1415, is that machine going to get infected by one of those ancient worms? No. Is it still vulnerable to a dedicated attacker, yes. But I've got a massive subset of attacks that I've mitigated with a very simple config change.
It bears repeating: The problem comes from making obscurity your only defense. Obscurity should always be a part of your defense.
We do not design security to defeat unsophisticated attacks.
Then why do you lock your server room doors? Or encrypt hard drives? Or install a fire suppression system in the building? Don't kid yourself, it's the unsophisticated attack that you need to worry about first and fucking foremost.
So, yes, 5 locks are more secure than 4 locks. Anyone who can break 4 will break 5, so it's not significant. Similarly hiding the port number is more secure than not hiding the port number. However, it doesn't change a one-hour break into more than a one hour one minute break.
Obscurity isn't about 5 locks instead of 4. Obscurity is the first lock. If obscurity doesn't work, why do we change passwords? All we're doing is 'obscuring' the password.
I can cat back through years of auth.log's and not see one. single. solitary. unauthorized login attempt on one of my boxes. Not one. Why? The SSH server sits on an unregistered port. Do I trust bragging about that statement enough to post the IP and port number here? Fuck no. But by obscuring the number, that machine is, at the very least, not a target of opportunity. That has to count for something in anybody's book. In several years, people haven't even *tried* to break in. But every day, there are attempts to open cmd.exe in the apache logs.
Obscurity is not a panacea, it's a step. It's a step in the overall security process that has gotten diminished by people spouting off a catchphrase.
There are some people that if they don't know, you can't tell 'em.
The guys in the SUV aren't there to fix the line. They're there to make sure you accidentally broke the line. As in you're not deliberately cutting their communications, or made a huge mistake while installing a tap.
As such, they need to arrive quickly and start asking questions quickly.
How is it not obscurity? All security relies on hiding something. It doesn't have to be the object to be secured; it can be a key to the object that you are attempting to secure, but the security is reliant on the object you are trying to hide not being discovered.
"It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
Provides a handy counter-example to anyone who wants to point to government as inherently inefficient. Clearly it can be efficient when it wants to be.
Reality has a liberal bias
Well, as you can surmise by this obvious urban legend, it did not actually happen. (Ft).
Kriston
Sometimes keeping people employed on large projects is a good enough reason for a government job, stimulating the economy and trying to keep unemployment numbers down.