Russian Spy Ring Needed Some Serious IT Help

coondoggie writes "The Russian ring charged this week with spying on the United States faced some of the common security problems that plague many companies — misconfigured wireless networks, users writing passwords on slips of paper, and laptop help desk issues that take months to resolve."

Encryption

[Pharmboy]

They encrypted everything using ROT13, TWICE! How much better security can you get?

Re:Encryption

[MokuMokuRyoushi]

How much better security can you get?

There is a legend of triple layered ROT13...

Re:Encryption

[JWSmythe]

    Lets not forget about the ultimate, ROT52. 4 times the security at only 4 times the price. From what I understand, it's to be the new official government standard for encrypting classified documents. AES is just too hard to do with a pencil and paper.

Re:Encryption

[spazdor]

Three layers? And this obfuscates sufficiently?

How odd!

Re:Encryption

This joke is on the same level as the morons who say "that's no moon" every time there's something posted about an astronomical body.

Kill yourself, you unoriginal piece of garbage.

Re:Encryption

[Mephistro]

FYI, three lawyers can obfuscate anything!

Re:Encryption

[GaryOlson]

Everyone know 3 layers=3 sides= strongest simple structure.
This is STRONG encryption.

Re:Encryption

[rubi]

If you manage to replicate the thinking algorithm of only one lawyer, you've just created truly unbreakable one-way obfuscation. Not even the original lawyer understands after his own process.

Re:Encryption

[Captain+Splendid]

Jeeezus. You took an extremely stale joke and steered it straight into the wall. Come on, folks, this is 2010, we can do better than this!

Re:Encryption

[colinrichardday]

Except that Cyrillic has thirty-three letters, not twenty-six. Therefore, they did ROT11 three times.

Re:Encryption

[masshuu]

rot2010 ?
Hay, some of us have Unicode support, unlike slashdot

Re:Encryption

LOL! That took a second to think, wait what?!?

Re:Encryption

[ginbot462]

Spoiled sport. Take your facts somewhere they are wanted.

Re:Encryption

[treeves]

to further spoil it, I'll add that it's unlikely that an editor at the largest Spanish-language newspaper in NYC (or any others of the 11) was using Russian to communicate with the mother country. Might raise a few suspicions, no?

Re:Encryption

[colinrichardday]

Spanish has 28 letters (although k and w may be used in foreign words), so perhaps they used ROT 14 twice.

Writing passwords isn't necessarily bad

[dhavleak]

http://www.schneier.com/blog/archives/2005/06/write_down_your.html
http://news.cnet.com/Microsoft-security-guru-Jot-down-your-passwords/2100-7355_3-5716590.html

Of course, the rules are a bit different when you're a spy :)

Re:Writing passwords isn't necessarily bad

[blair1q]

The correct rule is to protect the password at the same level of security as the data you access with that password.

So, writing down a password on a post-it on your desk is not appropriate if you wouldn't do the same with the most sensitive item of data on your computer or network.

Similarly, if you have a sensitive network and a not-so-sensitive network, writing your sensitive-network password into a file stored on your not-so-sensitive network is a bad thing. This includes putting it in an encrypted file on that not-so-sensitive network.

Passwords

[birukun]

Nothing wrong with writing down your long complex passwords..... UNLESS YOU LEAVE IT LAYING AROUND

The complaint read like a spy novel.... A ready-made Bourne script!

Re:Passwords

[PinkyGigglebrain]

What?!?!

Bourne would never have been this stupid!

Everyone trying to catch him on the other hand ...

Re:Passwords

[timeOday]

They left it lying around... their home. The reason it was compromised was because (apparently) the FBI had a warrant to go in their home, meaning they were already under suspicion because of something else they had done.

Here is my point: if you do something that causes the FBI to monitor your every move and scour your home for clues for over 10 years, it is going to be very hard to keep many secrets, regardless of how you configure your WiFi or whether you try to memorize random 27 character passwords.

Re:Passwords

[zaphod777]

Encryption can work pretty well in at least this case http://www.businessinsider.com/brazilian-banker-has-invented-a-code-to-guard-his-files-that-is-impenetrable-to-the-police-2010-6 I guess it is a good thing the Spy's were not using Linux and HDD encryption.

Re:Passwords

[b0bby]

Encryption can work pretty well

But as timeOday pointed out - would it work as well if the FBI is monitoring you for 10 years? Think hidden cameras or even microphones which could record keystrokes, hardware keyloggers, etc. The encryption may be unbreakable, but the password can be retrieved by other means given enough time & resources.

Re:Passwords

Throw out a lot of false positives. The few times you do something actually secret, never repeat it. See if you can get allies to lay false trails. And if necessary, turn over the secret stuff to someone else and concentrate on acting in as suspicious a way as possible, preferably amongst large groups of civilians. Join flash crowds. LARP. Cosplay at every convention you can hit. Attend blue-collar music gigs. Join every local rally and protest. Go to nightclubs.

Talk to yourself in empty rooms. Dial the same switched-off phone number at the same time every day, listen for precisely seven seconds, then hang up. Buy a thousand books and order them all by author - then randomly swap locations between books with red covers _only_. Put folded sheets of paper inside the back cover of each red book, covered with paragraphs from spam messages which have had their individual characters randomly replaced with other characters but retain the word lengths and sentence structures. Hang out near the local Scientology bookshop wearing a long coat with a high collar. Collect local business cards, write tiny random strings of digits on the back, and at night slip them under the doors of other businesses in a not-quite pattern that you change every eight weeks. Tape a large letter "A" up in one of your windows. Whenever a world political change occurs, roll 1d6 to change it to another letter or symbol for 24 hours. Once a week, roll 1d100 to change it to a large italic "B" for an entire week.

Plant your garden so that the flowers make cryptic patterns during various seasons. Buy a good quality concealed wall safe and keep nothing in it except a plaster gnome with three intials (not yours) scratched on its back and a slip of paper with the word "REMEMBER" in ransom-note font. Buy a pair of bright red socks and wear them whenever the major stock market ticker of your choice changes by a number of points ending in 3. Put one key on your keyring which fits no known lock. Bury something large but innocuous in your yard, inside a sealed container.

Send random network packets to a string of dodgy websites every week in a pattern which _almost_ never changes. Make your wireless password "iKn0wY0u-r-W4tch1ng". Load the official website for Hello Kitty precisely 6 times one week and 5 times the next, in an alternating pattern.

Finally, do a Google search on "How to dick with the FBI". :)

Seems like they doing this on the cheap?

[Joe+The+Dragon]

Seems like they doing this on the cheap? acting dumb? stolen parts?

Well this just proves

[al0ha]

the incompetent can be easily caught. Perhaps these were even decoys for the competent operation still running.

Re:Well this just proves

they are russian so they are all white guys. if they hired enough niggers and spics and bitches they'd be so diverse that no one would investigate them because it wouldn't be PC.

Re:Well this just proves

[flajann]

the incompetent can be easily caught. Perhaps these were even decoys for the competent operation still running.

Took the words right out of my mouth. You'll never know if you have a real competent spy around. Those Russians are very shrewd when it comes to this. Many years ago a US statesman was given a "gift" -- a wood carving supposedly made by children -- when he went to Russia. When he got back, he hung it up in the very conference room, he hung the thing up on the wall.

Over time, they noticed that discussions were slipping out of the room to the Russians, so they had the room checked for bugs. They could find nothing. And yet secrets still kept slipping.

They eventually checked the "gift" -- turned out it had a passive resonant circuit attached to a capacitor that had a diaphragm modulated by sound. How it was activated? Externally by a radio source at 300 MHz. It was quite ingenious, because there were no electronics as such-- just a tube with the diaphragm attached at the end.

The US guys couldn't figure it out, so they consulted British scientists!!! Can you believe that? Man, how stupid the US gov can be sometimes.

Re:Well this just proves

Decoy for what? The "real" spies discovering the secrets of American suburbia and socialites? The whole story to me is just a big crack up. If this were a real decoy, it seems like they would be doing something at least apparently useful.

Re:Well this just proves

That seal is hanging at the NSA museum. If you go there, you can open it up and see the microphone. Pretty neat.

http://www.nsa.gov/about/cryptologic_heritage/museum/virtual_tour/museum_tour_text.shtml

look for "great seal"

Re:Well this just proves

[euxneks]

the incompetent can be easily caught. Perhaps these were even decoys for the competent operation still running.

This sounds like the plot to Spies like Us

Re:Well this just proves

I'm sorry the mexican guy took your job. But he does it twice as fact as you for half the money. Why do you hate capitalism?

Re:Well this just proves

[MoellerPlesset2]

You'll never know if you have a real competent spy around.

I know! It's just the same with the half-dozen ninja assassins lurking in my apartment!

But they're there. I can feel it.

Re:Well this just proves

[sznupi]

To be fair, it might have been just as well made by children - at least when it comes to visible parts ;p

Also, the seal device was actually hung on a wall in Soviet Union, by the US ambassador there. The interesting part made by no other but...Theremin.

Re:Well this just proves

[shoehornjob]

The only question I ever thought was hard, is do I like Kirk or do I like Picard?

Picard of course. Earl Grey please.

Re:Well this just proves

[chill]

Robert McNamara, the Sec. of Defense for Kennedy and Johnson. SecDef during the Cuban Missile Crisis and much of the Vietnam War.

Re:Well this just proves

[Darth+Cider]

That listening device hidden in the great seal was invented by Leon Theremin, the same guy who invented the theremin musical instrument.

Re:Well this just proves

[nbauman]

This sounds like the plot to Spies like Us

Sounds like Sleepers. http://en.wikipedia.org/wiki/Sleepers_(TV_series)

Re:Well this just proves

[sootman]

> The US guys couldn't figure it out, so they consulted British scientists!

Truly dumb. I wouldn't have even needed scientists--I would have started with the question "So, have you gotten any gifts from any Russians recently?"

Re:Well this just proves

[gumbi+west]

Uh, "how stupid the US gov can be sometimes..." I'd not us that for this instance where hindsight is 20-20 whole figuring out on of the first passive resonators is really hard.

Now, the CIA figuring out that Russia was exiting Afghanistan 9 months after Russia held a press conference saying they were leaving Afghanistan, that's stupid. And, that's form a book written by a previous CIA director to trumpet their successes.

Re:Well this just proves

[gary_7vn]

Close but no cigar. The gift was to the US Embassy in Moscow. The inventor was Theremin of Beach Boys fame. "The Thing, also known as the Great Seal bug, was one of the first covert listening devices (or "bugs") to use 'passive' techniques to transmit an audio signal. It is considered a predecessor of current RFID technology, because it was likewise passive, being energized and activated by electromagnetic waves from an outside source." http://en.wikipedia.org/wiki/The_Great_Seal_bug For a second there it almost sounded like you knew what you were talking about.

Re:Well this just proves

[Mana+Mana]

> Took the words right out of my mouth. You'll never know if you have a real competent spy around

We can say with certainty, they don't make them like they used to. ?N'est pas?

Re:Well this just proves

[tehcyder]

You'll never know if you have a real competent spy around.

Yeah, they don't tend to fall for the "Simon says put your hand up if you're a spy" approach.

Re:Well this just proves

[bipedalhominid]

K, you can definitely respect Picard but Kirk you actually like. What's the big deal with all these passwords anyway. I just use the letter a for anything critical but my web site is always down. Ooohh, no you didn't. Let's see if that link is still out there on U-Tube. Oh yeah, it is. http://www.youtube.com/watch?v=W8_Kfjo3VjU Alternatively, you can make all users p/ws = letmein. Then make them change it everyday but allow old passwords to be reused. This way their daily login process becomes, CTRL+ALT+DEL, type in letmein. System makes you change your password but user knows they can reuse old ones. So, they type in the old p/w followed by their new one twice. letmein, letmein, letmein. HaHaHaa! How evil is that? Am I bad?

Re:Well this just proves

[flajann]

Cool! Thanks.

Re:Well this just proves

[flajann]

To be fair, it might have been just as well made by children - at least when it comes to visible parts ;p

Also, the seal device was actually hung on a wall in Soviet Union, by the US ambassador there. The interesting part made by no other but...Theremin.

Yes, I forgot about that (how could I?!!). Woooeeeoooowwww oowwwoowwoowww....

Re:Well this just proves

[flajann]

You'll never know if you have a real competent spy around.

I know! It's just the same with the half-dozen ninja assassins lurking in my apartment! But they're there. I can feel it.

I think that by the time you feel it, it's already too late. :-)

Re:Well this just proves

[flajann]

> The US guys couldn't figure it out, so they consulted British scientists!

Truly dumb. I wouldn't have even needed scientists--I would have started with the question "So, have you gotten any gifts from any Russians recently?"

Yeah, DUH!

Re:Well this just proves

[flajann]

Close but no cigar. The gift was to the US Embassy in Moscow. The inventor was Theremin of Beach Boys fame. "The Thing, also known as the Great Seal bug, was one of the first covert listening devices (or "bugs") to use 'passive' techniques to transmit an audio signal. It is considered a predecessor of current RFID technology, because it was likewise passive, being energized and activated by electromagnetic waves from an outside source." http://en.wikipedia.org/wiki/The_Great_Seal_bug For a second there it almost sounded like you knew what you were talking about.

Don't be snooty about it. It's been a couple of decades give or take since I read/heard about this device. I have a long memory, but sometimes it fuzzes with time.

Re:Well this just proves

[flajann]

You'll never know if you have a real competent spy around.

Yeah, they don't tend to fall for the "Simon says put your hand up if you're a spy" approach.

Funny, that.

Spying? There's no App for that?!

[birukun]

C'mon Apple Developers..... no App for that? :-)

Mac love

Anna Chapman posted on Facebook she liked her new Mac -- this was back in January ...

I find this entire story to be a load of shit

[garcia]

I hate the entire story. It's as if they're trying to detract from real news and we needed a new set of terrorists to hate. "Well we haven't hated the Russians since the early 1990s, let's get back to that."

Re:I find this entire story to be a load of shit

[Pharmboy]

But what if it is true? Likely, it is, actually. Every country spies on other countries. I don't really see the US getting completely bent out of shape over it, it was a 10 year investigation. What was more important was tracking them and finding out who in the US was helping them. But spies come and go, but spying is a constant.

Re:I find this entire story to be a load of shit

[elucido]

Why arrest them in a big show though? Usually spies are expelled not arrested.

Re:I find this entire story to be a load of shit

[schwaang]

Unlike typical spies with foreign diplomatic cover, these alleged "illegals" cannot just be summarily expelled back to their home countries. Any act against them requires due process, the first step of which is pressing charges.

The lack of diplomatic cover also means they are not protected from any charges that may stick. Spying without diplomatic cover is a very risky game. It makes this case all the more interesting.

Re:I find this entire story to be a load of shit

[JWSmythe]

The United States gets very offended by espionage activity, because we would never do it to anyone else. They promise. Not a single satellite. No high altitude spy planes. No high altitude long range supersonic spy planes (we retired all of these, we promise). No remote control spy planes. No flock of agencies with covert operations world wide. Nope, not the US. Keep your spies out of our country, we don't do it to you.

    Excuse me, there are a couple nice men in black suits knocking at my door that just want to ask me a few questions.

Re:I find this entire story to be a load of shit

[sznupi]

It must be ok if filthy liberal commie places have a problem with all that stuff.

Re:I find this entire story to be a load of shit

[hedwards]

We do, and the Israelis have been caught spying on us. That's probably the most offensive of the cases. The Israelis that depend upon us for support are spying on us. Not terribly surprising when they got caught, but it's still going to require a lot of chutzpah to do such a thing. Sort of like assassinating somebody on foreign soil or shooting peace activists.

Re:I find this entire story to be a load of shit

[Kral_Blbec]

Hmmm, you bring up a good point. The Russians should have just hired a bunch of Mexicans. Then, even after we find out they are illegal, we still couldn't touch them!

Re:I find this entire story to be a load of shit

[Fluffeh]

Why arrest them in a big show though? Usually spies are expelled not arrested.

If you were leading a TEN YEAR investigation, wouldn't YOUR office be demanding some publicity at the end of it to justify ten years of spending on your salaries, the investigative costs and so forth?

The best way to deflect a financial inquiry is to point at the TV where your "heroes" are out there making your country safe.

*sips coffee*

Re:I find this entire story to be a load of shit

[nomadic]

I don't find that offensive; countries spy on each other. I am assuming, and hoping, we're spying on Israel. If we're not, THAT would be more offensive to me.

Re:I find this entire story to be a load of shit

Hey! I soil myself... I mean I shoot foreign peace activists.

Re:I find this entire story to be a load of shit

Not to mention

http://en.wikipedia.org/wiki/Lavon_Affair

Not exactly trust-inspiring.

Re:I find this entire story to be a load of shit

[shutdown+-p+now]

The Israelis that depend upon us for support are spying on us.

That's precisely why they're spying on you - because they have a strong dependence on your support, and therefore knowing if and when it may possibly weaken or be terminated is crucial for their national security.

Re:I find this entire story to be a load of shit

Sure, we do the electronic stuff, the ease dropping stuff.

But the hands on stuff, the up close and personal stuff, getting the really valuable intelligence (like the 9/11 plans or were the terrorist chief is) we're just not any good at any more (if we ever were).

AIR, during the Carter Administration, Adm. S. Turner fired all our spies.

Re:I find this entire story to be a load of shit

[JWSmythe]

That's those damned foreigners. Us Americans are the shining example of how to do things right. If Ms. Manners had to pick a government to say others should act like, it would be the fine United States of America.

    (I hope everyone can read my sarcasm in these posts)

Re:I find this entire story to be a load of shit

[JWSmythe]

    The electronic ones are the obvious ones. Well, the ones that are public knowledge. I know of a few other routes that they're done by, that are not necessarily public knowledge. Well, given to me as "This is probably still classified, so I can't tell you all of it, but...."

    They were told to me for the sake that they were technologically and historically interesting. Through other means, more information was gathered on them to confirm that they were real. I'll suffice it to say (for the sake of the black van parked outside my house), there's more to modern intelligence than is provided publicly or portrayed in the media, television, or movies.

    If the Carter administration let 10,000 intelligence gathering people go, there are tens of thousands of others still out there, either in dark dungeons (like us, living in datacenters), or in the field continuing their covers so they aren't found and executed.

    The 9/11 intelligence was gathered and processed. It was ignored by the decision makers as a non-threat. You can thank the then-current administration for that one.

Re:I find this entire story to be a load of shit

[goose-incarnated]

There is more reason to spy on your friends than your enemies.

Re:I find this entire story to be a load of shit

Mods: Insightful, really? Funny, or even Flamebait I can see, but not Insightful.

Re:I find this entire story to be a load of shit

Know why the men in black suits didn't really go to your door?

They already know the answers to the questions you think they'd ask.

Re:I find this entire story to be a load of shit

[JWSmythe]

    The "asking questions" is just a polite formality. Its a lot easier and gets less attention if you walk to their car, rather than if they have to drag your freshly dead body. That, and it leaves less of a mess in their trunk. :)

    Well, unless it was a "tragic incident during a home invasion." Or in the case of Drew Peterson's ex-wives, it could be a tragic accident at home, where you slip in the tub or fall into a barrel. Hey, accidents happen, right? I guess it's better than to be a guest at the Dahmer residence. Mmm, those hamburgers were good, where did you get the meat?

    Ahhh, humans, you gotta love 'em. We always come up with creative ways to kill each other off.

    [checks his pulse] Nope, they haven't gotten me yet.

Re:Spying? There's no App for that?!

[Pharmboy]

'mon Apple Developers..... no App for that? :-)

Just like porn, Steve Jobs recommends you use Android for that.

Re:Spying? There's no App for that?!

[Mitchell314]

Yes. iSpy: with my little i. (Wonder if applescript would actually accept it).

Use passphrases

[hkz]

Passwords are the wrong solution. Trying to make people remember a short string with high entropy is hard, so people write them down. The other way around is much better - long passphrases with less of the tedious entropy. Quotations, lyrics, names, whatever. They're much easier to remember and much harder to brute-force. Sprinkle in some punctuation and you're golden.

Re:Use passphrases

[AuMatar]

That's an even worse solution. Do you really think end users are going to be willing to type a 200 letter phrase in instead? We use passwords for a reason- its as much as most people are willing to type before becoming annoyed.

Re:Use passphrases

[caffeinemessiah]

That's an even worse solution. Do you really think end users are going to be willing to type a 200 letter phrase in instead? We use passwords for a reason- its as much as most people are willing to type before becoming annoyed.

You, sir, have outdone yourself, even for slashdot standards. A passphrase is NOT "a phrase as a password", but rather a phrase as a mnemonic for your password.

Example:

Passphrase: 100 quick clicked commentors barely read Slashdot each day!
Password: 100qccbrSed!

I'll leave it to you to figure the magic out.

Re:Use passphrases

[CharlyFoxtrot]

Remembering random strings isn't that hard, it just takes time. People's heads are crammed full of random bits of data (pieces of bank account numbers, random login names you've been assigned, etc.) Instead of using a 20 character string as a password and trying to remember it straight away, generate four 5 character strings, write them down and recite them a couple times a day every day for a couple of weeks. After you're so sick of them you could recite them in your sleep eat the piece of paper and combine them into your superpassword. It's better than opening yourself up to dictionary attacks by developing methods and habits for forming passwords (for the real important stuff.)

Re:Use passphrases

[KevMar]

A pass phrase is not that bad of an idea. It does not have to be 200 chars long, but a few words that mean something to you stringed together. If nobody can see you type it, then they will have no clue its a pass phrase. If they see you tap space every 4-7 chars they will figure it out.

For a while, I used the phrase "I am the administrator!" for my workstation admin password. 23 very easy characters to remember. It is such a simple password to remember and hard to guess.

Re:Use passphrases

Thanks for your password you BIG DUMMY!

Re:Use passphrases

[Slutticus]

Some suggestions from OS X Keychain:

get8]umbra

leg51{kirsch

creed60[king

feud72)sane

Kirk118#guff

chap150&plow

Just replace the numbers (or words) with something memorable to yourself, and you have a powerful easy to remember PW. Not quite as easy as a passphrase, but not a random jumble that's impossible to memorize. Plus the last one is kind of funny if you think about it......

Re:Use passphrases

Remembering random strings isn't that hard, it just takes time.

Yep. And by the time you've finally mastered your own password, the password aging policy tells you that is is time to change it. Time to put a new sticky note on the side of the monitor.

Re: Use passphrases

[grahamsaa]

I remember one of our truecrypt volume passwords at work used to be "mymilkshakebringsalltheboystotheyard". Upon being informed of that, I thought "ok, pretty secure, easy to remember, but who the hell came up with that?"

Re:Use passphrases

[izomiac]

Two hundred characters for a single phrase would be huge. It's a passphrase, not a passsentence. Plus you can type real words much faster than high entropy passwords. Time-wise they might take a bit longer than a well-memorized (a.k.a. "soon to be expired") password, but nothing like the difference in character count would suggest. OTOH, it's much harder to gauge the entropy of an English phrase than a random string, so there are practical problems with them from a policy standpoint.

Re:Use passphrases

[blair1q]

This is mine:

"There's nothing more useless than a passphrase based on a quote."

(One Quotation-Dictionary Attack Later)

ALL YOUR BASE ARE BELONG TO US!

Re: Use passphrases

[apparently]

I remember one of our truecrypt volume passwords at work used to be "mymilkshakebringsalltheboystotheyard". Upon being informed of that, I thought "ok, pretty secure, easy to remember, but who the hell came up with that?"

What hole are you living in that you don't recognize that as a song lyric?

Re: Use passphrases

[grahamsaa]

Um, I may live in a hole, but I know the lyric. The funny thing about the passphrase is that I work with a bunch of (male) engineers, and one of them selected that as a passphrase. I just think it's strange that an engineer, probably in his mid 40s with a beer gut, came up with that.

Re:Use passphrases

Actually I say that the best solution is some kind of physical key, probably a USB thumbdrive. New employees at a company would be given the key, they could not access their computer without it, etc. Passwords that you have to memorize will never be the ideal solution because people are lazy and often stupid.

Re:Use passphrases

[joelsanda]

That's an even worse solution. Do you really think end users are going to be willing to type a 200 letter phrase in instead? We use passwords for a reason- its as much as most people are willing to type before becoming annoyed.

Yes. Assuming I'm an "end user" - I've been in I.T. for 13 years and still haven't quite figured out why the word "end" is put in front of user.

Anyway ...

I use passphrases for everything that will take something more than a short-digit PIN. My favorite is 27 characters long. At work I cull my memory for a passphrase, use that, and recall it much quicker than a coworker who enters part of the previous password, hits the backspace button, and mumbles "Now what was my new password again?" By the time he's done that I've entered in my 20 - 30 character passphrase.

Re:Use passphrases

[AK+Marc]

My most "secure" password (Assuming no one knew it was numbers only) was to open up the phonebook and select a phone number at random. 9 characters with no known association between them or to me would be uncrackable. If someone knew it was all numbers, it would be crackable. And I could write the code for the password down and look it up again if I forgot. I wrote "p213 #23" on a post it note, with no other references, so only I knew it was for a password and that it would be the phone number of the 23rd name on page 213. It wasn't even for something that secure, and when I needed a better one, I added a leading letter and trailing punctuation.

I'm surprised people still cling to l33t for passwords. If it's in the dictionary as a word, then they should be trying it with every letter upper and lower and every "s" as "$" and such. Leetspeak won't hold up to an expanded dictionary. It might take 10 times as long as a regular dictionary attack (or even 100), but that's still short. I'm curious how long it would take to crack if you assume the first character is anything, the last is anything, and the middle is a dictionary word in l33t. I see so many that are that, 7p4ssw0rd! or $P4$$w0rd9 or such and I'm curious how secure it really is.

Re: Use passphrases

Maybe they spend an unhealthy amount of time watching the video in their alone time...

(Posting Anon because it's not a crime, no matter what you say Graham.)

Re:Use passphrases

[AK+Marc]

That's why you add in incorrect punctuation or spellings or such if you can. "4scourand7yearsagoour4fathers" If a dictionary won't hit it directly, trying permutations of errors would render a dictionary attack useless, as long as there are enough possible errors. That and there are so many song lyrics that quotes can be found that are obscure and memorable.

Re:Use passphrases

[itamblyn]

Another advantage of passphrases is that you get REALLY fast at typing them. People tend to type random alphanumeric passwords relatively slowly, probably because we are not used to typing them as often as, say, the word "the". It is a lot more difficult for someone to see what your password is if all of you fingers are moving across the keyboard at high speed.

Re:Use passphrases

[adolf]

I like the pronounceable passwords generated by GNU Keyring on my ancient PalmOS device (a Handspring Visor).

It produces things like: biaf2cik3eg

Sure, it's a limited keyspace. But it's far easier for me to remember the sound of the password while I wait around for muscle memory to remember the keystrokes for me. But the sequence of keys is also similar to those used in normal writing, so I find that muscle memory remembers these pretty quickly. And, being consciously remembered as a sound also makes it easier to figure out later if I don't use a password for awhile and forget.

It's so, so much less painful than things like 9$k[IkO2F03, which while obviously much stronger, is something I'll need to record some place for later reference, because it will otherwise be immediately forgotten.

YMMV.

Re:Use passphrases

[blair1q]

Pretty useless.

"Did I put the 4 first or the 7? and what the fuck was between years and ago?"

Guaranteed to forget the details in 2.4 months.

Re:Use passphrases

You could just use "That's an even worse solution. Do you really think end users are going to be willing to type a 200 letter phrase in instead? We use passwords for a reason- its as much as most people are willing to type before becoming annoyed." as passphrase.

You obviously where willing to type this for no apparent reason on slahsdot (arguing is no reason, arguing on /. is like pissing against the rain) because you where annoyed, not to become annoyed.

Re:Use passphrases

[vonFinkelstien]

I used to use lines form James Joyce's Finnegans Wake. All I had to do was to remember the page # and I could find the quotation.

Re: Use passphrases

[addsalt]

Kelis did

Re:Use passphrases

Sorry for posting anonymously, I only just began my 2 week process for remembering my password. By mid 2012, I should have them ALL memorized - oh, except for the ones that change - nooooo!

they were just make it look ...

[jobst]

they were just make it look like you standard network, so they do not arouse suspicion ..... ;-)

Slower than a onetime pad

For decades, Soviet agents used one-time pads (eg, Venona http://en.wikipedia.org/wiki/Venona). It must have been frustrating to encrypt messages ... looking up aliases, then doing letter by letter transfers, then padding things out and going to the telegraph agency.

You can imagine wasting an afternoon during the cold war: Doors locked, shades drawn, crouching over codebooks, slowly penciling in cyphertext.

But it seems speedy and efficient compared to some of these spies' antics. When the courier spy delivered the laptop to a suspect, he said, "if this doesn't work we can meet again in six months" Another suspect was overheard saying to another, "they don't understand what we go through over here."

Ouch!

Re:Slower than a onetime pad

[MichaelSmith]

Makes me think that Russia had already abandoned these people. They knew the FBI were on to them and cut down on support to limit damage to other parts of their network.

Re:Slower than a onetime pad

[Sulphur]

One Time Pads are tedious to make.

Venona was broken because they used it as a Two Time Pad.

--

Fearless Leader: Can we reuse the pad?
Natasha: It works for me.

they're not spies, they're defectors

[circletimessquare]

they put on the bare minimum effort to convince the kgb they're still on the team (so they don't get any polonium in their tea)

then they dig up their free bags of money in sullivan county, and get on with their average suburban wannabe lives. when the kgb calls, they find a paranoid schizophrenic's blog and rivet their kgb bosses with useless tales of intrigue from the wild west. this spy ring is a joke

if you want to talk about modern life destroying cherished traditions, add this to your list: comfortable suburban living killed james bond

Re:they're not spies, they're defectors

[colfer]

Or they have connections who got them their cushy US layabout jobs.

The net history of espionage is like the net profit history of the airline industry. Comes out to about zero on balance (going back to the Wright Brothers, or so they say). But in espionage, even though the topmost levels of the U.S. and British and probably Soviet spy agencies were infiltrated over and over again, I guess there is some argument you can't just unilaterally disband them unless the other side does too.

Re:they're not spies, they're defectors

[maxume]

Casino Royale was great, and not much less plausible than most of the early stuff.

Really, a money launderer in trouble with his clients is a great deal more plausible than some dude with a kitten taking over a casino (Which wasn't particularly early, but it also wasn't particularly late).

But maybe you meant real spies.

Re:they're not spies, they're defectors

[elucido]

they put on the bare minimum effort to convince the kgb they're still on the team (so they don't get any polonium in their tea)

then they dig up their free bags of money in sullivan county, and get on with their average suburban wannabe lives. when the kgb calls, they find a paranoid schizophrenic's blog and rivet their kgb bosses with useless tales of intrigue from the wild west. this spy ring is a joke

if you want to talk about modern life destroying cherished traditions, add this to your list: comfortable suburban living killed james bond

Seriously? You think Russia would put polonium in their tea? On US soil? I know the guy you are talking about so it does happen but I don''t think Russia would dare do that. That being said I agree the spy ring does look to be a joke and I'm not sure why there is such a big deal about this considering they were an unsuccessful ring.

They weren't all full of shit because some of them (the Chapman female) seemed to have some real skills.

Re:they're not spies, they're defectors

[alex4point0]

While on the subject of Bond:

FTA: "I am going to write in invisible!" -- best read out in your best Boris/Goldeneye voice.

Re:they're not spies, they're defectors

[HishamMuhammad]

Hah, it had to be circletimessquare -- oh how I miss Kuro5hin and this kind of out-of-the-box thinking that used to come up there so often from you and the rest of the people. Too bad the place was filled with trolls to the point of unusability the last few times I tried to return.

Re:they're not spies, they're defectors

[Jah-Wren+Ryel]

then they dig up their free bags of money in sullivan county, and get on with their average suburban wannabe lives. when the kgb calls, they find a paranoid schizophrenic's blog and rivet their kgb bosses with useless tales of intrigue from the wild west. this spy ring is a joke

I thought that was pretty obvious.
The very first article I read about the bust contained this suppossedly intercepted message:

"You were sent to USA for long-term service trip. Your education, your bank accounts, car, house, etc - all these serve one goal: fulfill your main mission, ie to search and develop ties in policymaking circles in US and send intels (intelligence reports) to C (Centre)," an intercepted message said according to the indictment.

It sounds like the kind of exposition you'd hear in a hollywood movie when the writer wants to explain background to the audience, not the kind of thing a real spy handler would ever write -- unless he was super pissed that his spies had just taken his free money and run off with it.

Re:they're not spies, they're defectors

[DamnStupidElf]

Even CTS has stopped trolling k5. That's saying something.

Thats the least of their problems.

[elucido]

Writing the password probably isn't as smartest way to save it but lets be realistic, nobody can remember a 26 character password. It's bound to be written somewhere even if it's written in a PGP encrypted email message to self.

Re:Thats the least of their problems.

[Culture20]

nobody can remember a 26 character password

abcdefghijklmnopqrstuvwxyz. If preschoolers can learn an arbitrary sequence of meaningless symbols totaling 26, then I think it's possible.
Plus, your sentence is longer than 26 characters and so is this one.

Re:Thats the least of their problems.

Writing the password probably isn't as smartest way to save it but lets be realistic, nobody can remember a 26 character password.

Use a memorable quote, a poem a song lyric, whatever phrase you can remember easily. Use the first letter or two from each word, swapping case and substituting punctuation marks/numbers as needed. Finally, a use for 1337-5p34k!

Example -
Whose woods these are I think I know.
His house is in the village though;

Becomes - wh wo ar th i th i kn ki ho i i th vi th

And further - whW04rTh1th1knhiHo11ThviTh

A 26 letter password that can be remembered easily, mixing case and numbers. Not perfect, but few passwords are.

Re:Thats the least of their problems.

[Stupendoussteve]

"Your password has expired"

"Your password is too similar to your last password"

"Your password much be entirely different than the previous 50 passwords"

Re:Thats the least of their problems.

[h4rr4r]

I have remembered several password this long and longer. I have no idea what they are, but I can type them every time.

Re:Thats the least of their problems.

[interkin3tic]

That is indeed the least of their problems. I've heard their computers were themselves full of

(puts on sunglasses)

spyware.

Re:Thats the least of their problems.

[Culture20]

nobody can remember a 26 character password

abcdefghijklmnopqrstuvwxyz. If preschoolers can learn an arbitrary sequence of meaningless symbols totaling 26, then I think it's possible. Plus, your sentence is longer than 26 characters and so is this one.

How exactly was I redundant above? GP said it couldn't be done, and I pointed out that almost every five year old in the U.S. does it. And a lot of 20-25 year olds re-learn it backwards.

Re:Thats the least of their problems.

[Mashiki]

You laugh and mock, but the last head of IT we had, had us on 14 day rotating passwords. After 2 months he got canned.

Re:Thats the least of their problems.

Writing the password probably isn't as smartest way

What's wrong with it? Make a good, hard-to-remember password and keep it with you physical keys. If you lose it, change it, just like you'll need to rekey your locks.

Seriously, it probably is the smartest solution for most people.

Re:Thats the least of their problems.

[blair1q]

I don't doubt it. The FBI ain't all n00bs, and no doubt can pull up the keylogger logs for the computers of any number of bad-actors.

Re:Thats the least of their problems.

[GaryOlson]

Canned? He should have been freeze-dried and mounted on display as a warning.

Re:Thats the least of their problems.

[Yvan256]

Of course he got canned! You're supposed to change passwords every 30 seconds!

Re:Thats the least of their problems.

[mortonda]

Use a memorable quote, a poem a song lyric, whatever phrase you can remember easily. Use the first letter or two from each word, swapping case and substituting punctuation marks/numbers as needed. Finally, a use for 1337-5p34k!

Example -
Whose woods these are I think I know.
His house is in the village though;

Becomes - wh wo ar th i th i kn ki ho i i th vi th

...and this is why I don't like this technique - you didn't even get it right in your example!

wh wo th ar i th i kn hi ho i i th vi th

Re:Thats the least of their problems.

[jonnythan]

YEAAAAAAHHHH

Re:Thats the least of their problems.

[AK+Marc]

Who learns it backwards, and why? And why only the 20-25 year olds?

Re:Thats the least of their problems.

[gumbi+west]

That would be fine, but then having to learn a new one every 12 weeks because of a password expiration cycle--that's when it gets impossible. You are always recalling fragments of the old password...

Re:Thats the least of their problems.

[adamofgreyskull]

They may be more likely to drive drunk and therefore be subjected to a Field Sobriety Test? However, from that Wikipedia article: "recite all or part of the alphabet (a common myth is that the alphabet must be recited backwards, however, this is never done during an FST, as many sober people are unable to do this.)."

Re:Thats the least of their problems.

[AK+Marc]

Ok, so only the stupid 20-25 year olds, as I've heard the jokes, but I didn't think anyone actually thought you had to recite it backwards if pulled over.

What I have seen people mess up seriously on was reciting the alphabet forwards, starting and stopping at arbitrary letters (e.g. recite it from "d" to "o").

Re:Thats the least of their problems.

[PitaBred]

I'm surprised he didn't get assaulted in the parking lot after a month.

Re:Thats the least of their problems.

Yeeeeeaaaaaaahhhhh!!!

Re:Thats the least of their problems.

[Macrat]

Writing the password probably isn't as smartest way to save it but lets be realistic, nobody can remember a 26 character password.

You can't remember a sentence?

Re:Thats the least of their problems.

He was, but after the rebels thawed him back to life in a desperate attempt to free him, it was decided that canning reduced the risk of him ever getting loose again.

Re:Thats the least of their problems.

[William+Robinson]

Use a memorable quote, a poem a song lyric, whatever phrase you can remember easily.

Yep. My password 'Iwant8008135' is very easy to remember.

Oh wait....

Re:Thats the least of their problems.

[zaphod777]

I always though it started as a joke that went something like this: 21 year old gets pulled over for a DUI Officer: how much have you had to drink tonight Kid: nothing Officer: Please step out of the vehicle few FST later .... Officer: Please recite the alphabet backwards. Kid: but I couldn't even do that if I was sober! (owned)

Re:Thats the least of their problems.

[tehcyder]

The letters of the alphabet is something that is drummed into your head from an early age, and repeated countless times, I bet if I gave you a scrambled version you would have a very hard job to remember it.

And sentences using dictionary words are hardly secure.

Re:Thats the least of their problems.

Use a memorable quote, a poem a song lyric, whatever phrase you can remember easily. Use the first letter or two from each word, swapping case and substituting punctuation marks/numbers as needed.

...and this is why I don't like this technique - you didn't even get it right in your example!

wh wo th ar i th i kn hi ho i i th vi th

not only that, the entropy is also extremely low

Re:Thats the least of their problems.

[anon+mouse-cow-aard]

actually the first bit was correct, the poem transcription is wrong... actual poem:
Whose woods are these I think I know...
So it's even worse than you imagine, people can remember the phrase inaccurately.

Re:Thats the least of their problems.

[bigrockpeltr]

hey thats kind of similar to my password... iLove(.)(,)
yes the right one is a piercing...
yes that is my actual password because its on the internet so it must be true!!!

Re:Thats the least of their problems.

[shaitand]

The people who are most likely to want your password are those who would have opportunity to get physical access to keys/desk/drawers/etc.

The chances of a complete anonymous stranger actually sniffing your encrypted password and brute forcing it are actually pretty slim.

Re:Thats the least of their problems.

aside from the fact there is no mixed case, special characters, or numbers, which are all required by company.

Re:Thats the least of their problems.

*WHOOOOOSH*

Re:Thats the least of their problems.

[Culture20]

The letters of the alphabet is something that is drummed into your head from an early age, and repeated countless times, I bet if I gave you a scrambled version you would have a very hard job to remember it.

But if I were a Russian spy being trained, you'd think that rote memorization of a series of long passwords would be incorporated into the training (probably with music, just like with kids).

And sentences using dictionary words are hardly secure.

Last I checked (yesterday), the English dictionary on unix systems contained more than 98,000 unique words with an average length of 9 characters. If you used these words as symbols, you would get NUMWORDS^98,000 possibilities, discounting punctuation, and assuming no grammar. Possibilities when viewing the passphrase as a character string are (NUMWORDS*AVERAGEWORDLENGTH)^CHARACTERSET, suitably reduced if the attacker knows it's a passphrase, but not enough to make it non-secure.

Re:Thats the least of their problems.

[Agent0013]

Who learns it backwards, and why?

I learned it backwards while sitting on the school bus for over an hour. In one day I had it down, and still do. zyxwvutsrqponmlkjihgfedcba

Re:Thats the least of their problems.

[jonbryce]

Think passphrase rather than password, then it gets a bit easier. The phrase has to mean something of course, not just a random collection of letters, numbers and symbols.

Re:Thats the least of their problems.

[elucido]

A sentence is an incredibly weak password. And if it is strong it will be something random which you deliberately cannot remember.

Re:Thats the least of their problems.

[elucido]

If it's not really random then the security of your system is weak to brute force attack. If you use a phrase or collection of words they can try every word in the dictionary or multiple dictionaries until they reach your password. If you use a phrase they can try every phrase combination until it matches yours. If your password is very random then the security of the system depends entirely on the algorithm use.

Re:Thats the least of their problems.

[penguinchris]

I know I'm a bit late to the party, but, in regards to preschoolers learning an arbitrary sequence of meaningless symbols, this is perhaps harder than you think.

I taught the ABC's to a native Thai, 22 years old, and it made me realize how hard this actually is. Of course it's easier if you're intimately familiar with the characters you're using for your random strings already (which preschoolers and those whose native language uses different characters don't), meaning once you know the abc's a second sequence with the same characters won't be as difficult as that. But it's still hard (for most people).

Kid Detectives

[ForAllTheFish]

This makes all those kid detecive stories about kids busting international spy operations SO much more believeable.

Is that a joke?

[elucido]

Passphrases are not harder to brute force. In general if you have 26 random characters its hard to brute force.

Re:Is that a joke?

[caffeinemessiah]

Passphrases are not harder to brute force. In general if you have 26 random characters its hard to brute force.

Passphrases encourage the use of numbers, capitalization, longer passwords, and punctuation. If the common password is all lowercase letters and maybe digits, your looking at a search space of (26+10)^k for a password of length k. If you throw in the 30 or so punctuation marks, and capitalization, the search space is (26+26+30)^k for the same length of password.

Given that so many people use lowercase+digits passwords, I'd be inclined to think that anyone brute-forcing a bunch of passwords would stick to the (26+10)^k search space, and therefore leave yours uncrackable. If they're just going after yours though, all bets are off, but then you should probably be using some uber-fancy authentication scheme anyway.

Re:Is that a joke?

[Culture20]

Passphrases are not harder to brute force. In general if you have 26 random characters its hard to brute force.

If you don't follow correct grammar, you can make a secure passphrase that's easier to remember than 98jn339ejnT#T*j#fe8#wf#F.
Assume a character set of 256, that means with 8 random characters, you've got 8^256. 8 random characters is tough for some people to handle. With passphrases, if you allow only english, you've got a "character" set of `wc -l /usr/share/dict/words` (98569), so with 8 random words, you've got 8^98569 possibilities. Of course, to follow a sense of grammar (even bad), you reduce that down a lot, but it has a benefit of being long absolute-character-wise, and short virtual-character-wise... average english word length is apparently ~9; X=`wc -m /usr/share/dict/words |cut -f1 -d' '`; Y=`wc -l /usr/share/dict/words| cut -f1 -d' '`; echo `expr $X / $Y` and `expr $X % $Y`/$Y
so even a random 8 word passphrase might be longer than 72, thus it's potentially 72^256 when brute forced character-wise.

Re:Is that a joke?

[itamblyn]

Passphrases are not harder to brute force. In general if you have 26 random characters its hard to brute force.

But people aren't random number generators. If I were trying to brute force a password that required at least one special character, I think I would first try all combinations without special characters, and simply add ! at the end. Need a number? add a 1 to the beginning. I'm pretty sure a lot of people do it this way.

Re:Is that a joke?

[Falconhell]

"But people aren't random number generators."

Nope, but accounting trolls are, according to dilbert!

https://mywebspace.wisc.edu/lnmaurer/web/rng_stuff/Dilbert0001.jpg

Re:Is that a joke?

With passphrases, if you allow only english, you've got a "character" set of `wc -l /usr/share/dict/words` (98569), so with 8 random words, you've got 8^98569 possibilities.

But if I'm precomputing stuff, your /usr/dict/words can be tokenized into 17 bits. (a little over 2^16, or 65536), and your 8-word passphrase contains only 136 bits of entropy. Pwn3d.

Hey these were language, not IT, experts

[Katchu]

Sounds similar to a lot of corporate America: Using OS that locks up, poor password security, need to send laptops to corporate for assistance, ...

These Russian spies could have wrote their own.

[elucido]

They could have wrote their own steganography applications. Any known steganography application is probably also known by law enforcement and useless. The success or failure of steganography is based on the fact that the actual use of it and the type of it remains secret. When it's known then it's useless. It's very much like encryption where the key has to be kept secret or the encryption is worthless because the security of the scramble is the randomness of the key.

Let's just say it, these spies didn't know the technology and we should be glad they didn't. I don't understand why the hell we are seeing these ridiculous articles about what they should have done or about steganography applications they could have used. Yes a lot of those apps exist but the Russians didn't write it.

Re:These Russian spies could have wrote their own.

[tehcyder]

They could have wrote their own steganography applications. Any known steganography application is probably also known by law enforcement and useless. The success or failure of steganography is based on the fact that the actual use of it and the type of it remains secret. When it's known then it's useless. to be kept secret or the encryption is worthless because the security of the scramble is the randomness of the key.

No, the whole point of steganography is that you use it to avoid provoking suspicion in the first place. Once the FBI et al have you under surveillance, it doesn't really matter what application you use to hide things, the authorities already know to look there anyway.

You don't exactly add a "secured by ABC steganography" attachment to all your emails...

Re:These Russian spies could have wrote their own.

[elucido]

They could have wrote their own steganography applications. Any known steganography application is probably also known by law enforcement and useless. The success or failure of steganography is based on the fact that the actual use of it and the type of it remains secret. When it's known then it's useless. to be kept secret or the encryption is worthless because the security of the scramble is the randomness of the key.

No, the whole point of steganography is that you use it to avoid provoking suspicion in the first place. Once the FBI et al have you under surveillance, it doesn't really matter what application you use to hide things, the authorities already know to look there anyway.

You don't exactly add a "secured by ABC steganography" attachment to all your emails...

Thats what I was saying. Steganographys secrecy is in the fact that nobody knows what type of steganography you are using. It's a matter of them not knowing where to look. This is very much like the secrecy of your key, if anyone knows the key then your encryption is broken.

As far as surveillance goes. if they were spies wouldn't they be trained to expect to be under constant surveillance? Unlike the rest of us, these spies knew all along they'd be under surveillance. They knew enough to use steganography but were too stupid to use it properly? That seems to be the situation.

In the article they are doing stuff like leaving their passwords out so the feds or whomever could access it. The steganography apps they used seem to have been stuff written by other people, hiding data in images. The point is they didn't seem to understand how to use the technology they had which leads me to believe they probably weren't trained.

Then again what would I know? Maybe this is what usually happens and most spies get caught? You'd think that they'd have some sophisticated technology though.

Wrinting in a Secret language

[jamesyouwish]

If I write my password down in another language isn't that secure.

Re:Wrinting in a Secret language

[hedwards]

I assume you're joking. In order for it to be a language there has to be syntax and grammatical rules. You have to write those, then and it doesn't take that long to figure out that it's a new language. And if you don't manage to actually figure that out, then you've got a string of seemingly random characters, which probably look a lot like a password.

Re:Wrinting in a Secret language

[elucido]

Who said anything about it having to be a language? That seems like it would be even more difficult than writing a script and distributing the CD. The script could handle everything. It could be written in python, java, perl or any other language.

You would think a country like Russia would have some top notch programmers. All this talk about cyber warfare and hackers trained by the Russian government and they can't write code? I don't believe it.

Re:Wrinting in a Secret language

[psithurism]

He isn't joking; after escaping on bail, he'd like to know how to do it right this time.

The key question: did they run Linux?

[porky_pig_jr]

And if so, is that good or bad?

Re:The key question: did they run Linux?

[tehcyder]

Yes, they were a Beowulfski cluster.

If spies can't even get it right

I have little to no hope that the corporate world ever will.

I'm an IT director at a mid-sized company in the US. I've worked hard to educate top executives on security issues, and to encourage them (it's hard to force a CEO or CFO to do anything) to use best practices. I've experienced a lot of resistance.

Most companies think of IT, and security in particular, as an afterthought, if at all. Our CEO, who is responsible for active contracts that are worth tens of millions of dollars, and who has very sensitive financial data and intellectual property on his laptop, balked when I told him I did not want to know his password. He'd ask me to fix a problem with his machine, and be bothered by the fact that I would ask him to type in his password himself when I needed it. Eventually I gave in and started typing it in myself. Apparently it's an open secret from middle-management up. He uses the same password for everything, and all of the privileged managers know what it is. What if one of us quits or is fired? I imagine he uses the same password for his online banking as well. It's a big risk. He travels internationally on a regular basis. Having 20 people that know the password to all of your accounts. . . well, that scares the shit out of me, but it doesn't seem to bother him.

And I get the sense that most people, whether they work in espionage or in the private sector, see security as more of an annoyance than anything else. That is, until a breach happens. When that happens, the IT department is blamed.

In those situations, "I told you so," is not an acceptable response. When bad things happen, heads roll. I'm afraid that despite my most strenuous efforts to encourage best practices for top executives, my head will one day be on the chopping block for one of their mistakes.

Sorry to post anonymously (it's the first time I have!), but other folks in my department read ./ and I can't really expose my name / UID in this particular case.

Re:If spies can't even get it right

[turbidostato]

"I'm an IT director at a mid-sized company in the US [...] Our CEO [...] He'd ask me to fix a problem with his machine"

You *think* you are an IT director, but you are the mop guy.

At least that's what your CEO thinks, and that's all that counts.

Re:If spies can't even get it right

I can't let mine go either, but are you kidding me? I work for a real estate firm, and while our SharePoint is on an SSL server, our residential management software isn't. It takes all of five clicks to get to the page to, well, open up a new accounts payable invoice and commit it. And I'm pretty sure it would go straight on through.

Even less maliciously, someone could just keep giving themselves free rent - or hell, a whole building or property, and posting the batch transactions on through so none of us ever saw it. Nobody would ever notice.

Re:If spies can't even get it right

[zaphod777]

I guess you guys don't have SOX audits?

Re:If spies can't even get it right

[cusco]

Hell, I'm jealous that you have co-irkers who read /.

I work in the physical security (key cards, cameras, panic buttons, etc.), where the situation's even worse. A lot of these systems are run by (I kid you not) the janitors and maintenance men. In most organizations the physical security infrastructure is under the Facilities department. Daily I see passwords that haven't been changed in years, systems with no backup, or places where the lowliest temp guard uses the same account as the system manager.

Security is a cost center, not a revenue center. No organization likes to shovel money out the door for something that won't bring anything tangible back in (unless it's going to executive pay packages). That's why Facilities gets saddled with it, they're the low man in the pecking order, everything they do is a cost.

go low tech

[LostMonk]

Why try to beat US security at their own game? go low tech. it works for el-qaeda. If they used the good old mail services they would have gone unnoticed for another 10 years.

Well what this really all just means is that the..

[3seas]

.... terrorist threat is just not working very well anymore, so its time to remake an old threat....

But this time its really a lot more like "Spy vs. Spy" as found in MAD magazine.

Re: writing passwords on slips of paper

[OnePumpChump]

Unless it's a randomly generated password, omit some letters. You shouldn't need the whole password to remind yourself what it was.

Funny

[formfeed]

If they had just called themselves a business intelligence and consulting service for foreign investors, they wouldn't have any problems.

And if you call yourself a lobbyist you can even funnel money from foreign governments into your congressman's pocket.

Obligatory Rock & Bullwinkle Reference.....

[IHC+Navistar]

This whole thing reads like an episode of Rocky & Bullwinkle.

Boris Badenov: "Everything going fine until Moose and Squirrel!"

Natascha Fatale: "What you mean, dear?"

Boris Badenov: "Everything working fine until we get laptop with Windows!"

Fearless Leader: "First Chernobyl, then Kursk, NOW OUR SPIES!"

Natascha Fatale: "Dahling, least not Moose & Squirrel this time....."

they did it on british soil

[circletimessquare]

http://en.wikipedia.org/wiki/Poisoning_of_Alexander_Litvinenko

if they have no problem doing it on british soil, what would stop them from doing it on american soil?

Re:they did it on british soil

[indiechild]

Exactly. And those are only the assassinations that we actually know about.

Espionage or nepotism?

Somehow this seems more like nepotism than espionage.

Like when Boris gets a contract to supply trucks to a construction site because his uncle is the towns mayor.

Hey, you get to live it up in the USA on the states dime. We'll call it long-term deep cover spying. Yeah that's the ticket.

     

Symptomatic

[binaryseraph]

I think this shows not only an issue in general with IT security issues for spies, but likely shows a much larger weakness in covert operations as a whole- not only in the Russian government, but presumably our own. Russia has not only some of the most top notch hackers in the world, but also is no new kid on the block when it comes to spying. These guys have rivaled our (US) own CIA for years. To see them fall to such an amateur mistake is boggling (as we know there are no shortages of errors in our own spy programs). While I am sure that someone over in Russia is going to lose their job over this I wonder if any lessons will be learned by their (and our) Intelligence agencies- specifically looking at how this error can be avoided in other areas.

More interesting however, is HOW these guys got caught. Somehow the FBI got tipped off... Maybe NSA forwarded some emails they sniffed out.... Which brings me back to my first point. PGP anyone?

"Lady In Red"

[Gri3v3r]

http://www.nypost.com/p/news/national/sexy_russian_spy_anna_chapman_2Zmmc1rSqu2H71x3v7BibM?photo_num=5 One of the spies :P

Re:"Lady In Red"

[vonFinkelstien]

Anna Chapman. Search in FB.

Re:"Lady In Red"

[Sulphur]

A really cute girl just said "Hey You."

Could she be a spy?

Re:"Lady In Red"

A really cute girl just said "Hey You." Could she be a spy?

Question: "Do you look like Brad Pitt?"

Even if this wasn't Slashdot, most of us don't look like Brad Pitt, and if you're doing something that might be of interest to spies (whether from competing companies or governments), the answer to your question must be presumed to be "yes".

Who says? Spin and lies again

[unixtechie]

Slashdot never stops amazing me.
First, it's the absolute uncritical admission by the commenting lemmings of the premises of hte title text. Very few, usually down the discussion even come to questioning the author's spin. And they are never voted up.
Secondly, amazing is the incredible rate at which supposedly "independent" Slashdot spews government propaganda. Prime example is "crimes" of the countries the US ruling elite is working hard to colonize and destroy. Therefore China is perennially guilty of limiting Internet access for its citizens. The fact that US funds groups working for subverting its government (against which the said government tries to protect itself) is never even mentioned.
Both points are clear in this stupid post on the "Russian spies". The whole story is A PROPAGANDA LIE. These people have never been a "spy ring" on the first place, the sensation is CREATED from thin air.
And the lemmings are so eager to "discuss IT deficiencies in the spy ring", never questioning the original lie, nor the spurious, empty "information" about those people's computing habits.
How sadly typical for americans.

Two words:

[pedestrian+crossing]

Family Guy

Bullshit

Anyone who says that Ana should be held responsible for her share of IT-related shortcomings obviously overlooked the fact that 'she is made for Love' - to suggest otherwise would be to deny existence of Marvin Gaye.

Re:Spying? There's no App for that?!

[Keruo]

Spy devices require an antenna that actually transmits something, so apple products are quite safe to use. Atleast the new iPhone

They were just blending in

[noidentity]

They were doing all this to blend in. If they actually took security seriously, they would have been very obvious and suspect.

"LIKE ... TOTALLY HAPPY!!!"

[sageres]

'Earlier, in describing his reaction to a successful wireless transfer, SEMENKO said he was, "like ... totally happy."' Note to self: In order to make a spy "like ... totally happy" fix their computer!

The "spy ring" was real?

[flappinbooger]

So, we've established that they really were spies? Anyone got a link? I might be a little behind the news cycle on that.

Re:The "spy ring" was real?

[Max_W]

Ia a Russian is not cleaning than he/she is a spy or in money-laundering.

I feel it on myself all the time. Once I was flying in a business class on an international flight and a man from a western country started to blame me openly. He looked at me and asked loudly: "Mafia?" Then continued: "People are dying from hunger in your country and you are flying in business class!"

I just answered to him that the most serious massive health problem nowadays in my country is not a hunger, but overeating and being overweight. And tried not to notice him anymore.

Google has offices in many cities in Russia. They use a secretive encryption for communication (SSL - https), pass cash secretively (as anyone has to in Russia due to high crime rate), collect a lot of information of people, so they must be the US spies. But seriously, this logic is absurd.

The FBI agent (Roman) provoked Anna. I wish that the US authorities would let go our nice girl, Anna Kuschenko (Chapman) and stop this political poor-show.

sacrifice killing of a girl on the altar

[Max_W]

Anna Kuschenko (Chapman) was owning and running a successful real estate business http://www.domdot.ru/ . Colleagues say that she was thinking and working on it 7/24.

It is a successful business on the international scale. She was selling apartments and houses in Spain, Bulgaria, Poland, UK, Russia, USA, etc. She was making it big time. They say it is growing like a Second Google.

It is a pity that this nice girl is being sacrificed by priests and patricians on the altar of Greed via this fabricated story. Placing such a girl in a disease infested prison is like killing.

Next time it may be another business, say, yours.