Russian Spy Ring Needed Some Serious IT Help

coondoggie writes "The Russian ring charged this week with spying on the United States faced some of the common security problems that plague many companies — misconfigured wireless networks, users writing passwords on slips of paper, and laptop help desk issues that take months to resolve."

Well this just proves

[al0ha]

the incompetent can be easily caught. Perhaps these were even decoys for the competent operation still running.

Re:Well this just proves

[flajann]

the incompetent can be easily caught. Perhaps these were even decoys for the competent operation still running.

Took the words right out of my mouth. You'll never know if you have a real competent spy around. Those Russians are very shrewd when it comes to this. Many years ago a US statesman was given a "gift" -- a wood carving supposedly made by children -- when he went to Russia. When he got back, he hung it up in the very conference room, he hung the thing up on the wall.

Over time, they noticed that discussions were slipping out of the room to the Russians, so they had the room checked for bugs. They could find nothing. And yet secrets still kept slipping.

They eventually checked the "gift" -- turned out it had a passive resonant circuit attached to a capacitor that had a diaphragm modulated by sound. How it was activated? Externally by a radio source at 300 MHz. It was quite ingenious, because there were no electronics as such-- just a tube with the diaphragm attached at the end.

The US guys couldn't figure it out, so they consulted British scientists!!! Can you believe that? Man, how stupid the US gov can be sometimes.

Use passphrases

[hkz]

Passwords are the wrong solution. Trying to make people remember a short string with high entropy is hard, so people write them down. The other way around is much better - long passphrases with less of the tedious entropy. Quotations, lyrics, names, whatever. They're much easier to remember and much harder to brute-force. Sprinkle in some punctuation and you're golden.

Re:Use passphrases

[vonFinkelstien]

I used to use lines form James Joyce's Finnegans Wake. All I had to do was to remember the page # and I could find the quotation.

Re:Slower than a onetime pad

[MichaelSmith]

Makes me think that Russia had already abandoned these people. They knew the FBI were on to them and cut down on support to limit damage to other parts of their network.

Re:I find this entire story to be a load of shit

[schwaang]

Unlike typical spies with foreign diplomatic cover, these alleged "illegals" cannot just be summarily expelled back to their home countries. Any act against them requires due process, the first step of which is pressing charges.

The lack of diplomatic cover also means they are not protected from any charges that may stick. Spying without diplomatic cover is a very risky game. It makes this case all the more interesting.

The key question: did they run Linux?

[porky_pig_jr]

And if so, is that good or bad?

If spies can't even get it right

I have little to no hope that the corporate world ever will.

I'm an IT director at a mid-sized company in the US. I've worked hard to educate top executives on security issues, and to encourage them (it's hard to force a CEO or CFO to do anything) to use best practices. I've experienced a lot of resistance.

Most companies think of IT, and security in particular, as an afterthought, if at all. Our CEO, who is responsible for active contracts that are worth tens of millions of dollars, and who has very sensitive financial data and intellectual property on his laptop, balked when I told him I did not want to know his password. He'd ask me to fix a problem with his machine, and be bothered by the fact that I would ask him to type in his password himself when I needed it. Eventually I gave in and started typing it in myself. Apparently it's an open secret from middle-management up. He uses the same password for everything, and all of the privileged managers know what it is. What if one of us quits or is fired? I imagine he uses the same password for his online banking as well. It's a big risk. He travels internationally on a regular basis. Having 20 people that know the password to all of your accounts. . . well, that scares the shit out of me, but it doesn't seem to bother him.

And I get the sense that most people, whether they work in espionage or in the private sector, see security as more of an annoyance than anything else. That is, until a breach happens. When that happens, the IT department is blamed.

In those situations, "I told you so," is not an acceptable response. When bad things happen, heads roll. I'm afraid that despite my most strenuous efforts to encourage best practices for top executives, my head will one day be on the chopping block for one of their mistakes.

Sorry to post anonymously (it's the first time I have!), but other folks in my department read ./ and I can't really expose my name / UID in this particular case.

Re: writing passwords on slips of paper

[OnePumpChump]

Unless it's a randomly generated password, omit some letters. You shouldn't need the whole password to remind yourself what it was.

Re:they're not spies, they're defectors

[Jah-Wren+Ryel]

then they dig up their free bags of money in sullivan county, and get on with their average suburban wannabe lives. when the kgb calls, they find a paranoid schizophrenic's blog and rivet their kgb bosses with useless tales of intrigue from the wild west. this spy ring is a joke

I thought that was pretty obvious.
The very first article I read about the bust contained this suppossedly intercepted message:

"You were sent to USA for long-term service trip. Your education, your bank accounts, car, house, etc - all these serve one goal: fulfill your main mission, ie to search and develop ties in policymaking circles in US and send intels (intelligence reports) to C (Centre)," an intercepted message said according to the indictment.

It sounds like the kind of exposition you'd hear in a hollywood movie when the writer wants to explain background to the audience, not the kind of thing a real spy handler would ever write -- unless he was super pissed that his spies had just taken his free money and run off with it.