Slashdot Mirror
Military Bans Removable Media After WikiLeaks Disclosures
cgriffin21 writes "The Pentagon is taking matters into its own hands to prevent the occurrence of another WikiLeaks breach with removable media ban, preventing soldiers from using USB sticks, CDs or DVDs on any systems or servers. The directive prohibiting removable media followed the recent publication of more than 250,000 diplomatic cables, which were leaked to whistleblower Web site WikiLeaks at the end of last month by a military insider."
barn
Equine Mammals Are Considerably Smaller
Thank god they didn't ban floppy disks.
I knew these bad boys would come in handy one day!
liqbase
This applies to SIPRNET machines, and specifically personal CDs, DVD, etc. The thing is, this has always been the rule. At least everywhere I've worked with SIPRNET access (Air Force).
If you want news from today, you have to come back tomorrow.
This only applies to SIPRNET machines and has always been policy. No news here
09-f9-11-02-9* (G^GCA_++{>. RV>>>>+++ NO CARRIER
Wait til you have to explain to this to the 11Bs....
It is really hard to ban removable media given that you can attach a phone and it becomes a USB drive.
Using Windows Terminal Server, or Aqua Connect on the Mac
you can prevent anyone from using a USB device, as the data will be on a server, presumably locked away from users.
Fight Spammers!
And these are the people that we set loose with big guns, exploding doohickeys, and nukes.
Of course the logical progression is to ban the use of cameras, photocopiers, cel phones, paper, pencils, and people with photographic memories.
Three Squirrels
It's used to be the case that some companies would squirt epoxy into the USB ports on devices - Doesn't really work any more as many devices no longer have PS2 mouse and keyboard ports.
The simple act of having a cell phone on you in most federal facilities that have these security policies is a security violation. A few of those and you can lose your job (yes, government employees can actually be fired in a "stop, don't pass go, you're on the street" way over this). If someone sees you plugging it into a SIPRNet node, you're fucked. Do that **now** while the government is making up for lost time and you've basically shredded your own clearance.
Exposing the governments' corruption and bringing the truth into the light. Wikileaks is my hero! I want to cheeking thomas ultimatum supremacy while I'm am own ass.
Ain't it? What are they going to do, search everybody, disable the ports, what?
Oh they're just going to tell people not to do it?
That'll work.
But seriously, while I appreciate having a universal port of some kind, I do think it's a bit of a price to pay having basically one port used for everything. Not one that matters to most of us, but I suspect some people might wish things were different.
Not sure it's feasible though.
No mention of dropbox?
the realize they need to move somehting and have no way to do so....
This has always been policy, sure, but you know that a vast majority of facilities who routinely do SIPR NIPR data transfers are going to be *completely fucked* when their higher-ups overreact to this, even if the data is Unclassified with no FOUO tag. They instituted 2nd man review policies initially after the Afghan leaks, and now this?
Man, I'm glad I don't work there anymore. My old system is probably fucked by now.
mandatory access controls!!!
http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/
Especially since this is EXACTLY what it was designed for.
http://en.wikipedia.org/wiki/Mandatory_access_control
Hey buddy, can i bum a karma? ~}CinderellaManson{~
I think the bigger horse is why would a low level person like Manning have so much access to begin with? Or for that matter such widespread access to such a large group to begin with? If it wasn't him then it would have been someone else.
I've worked in classified areas in aerospace, and USBs have been disabled since the first USB equipped PCs showed up. In then early days I think they actually removed the USB interface chip. Now it's disabled in software.
If secrecy and security are important then they should damn well act like it. A USB interface is about as secure as a mesh condom.
So the leakers will now have to rely on plain old memorization, or print shit out. The only real way to prevent leaks is by monitoring access and severely punishing people for leaking. This leak only happened because the leaker all but knew he was impossible to catch. In fact, he was only caught because he bragged about it and someone turned him in.
Here's a little story from back when I was the "IT security guy" (they didn't want to shell out the wage for a CISO, I guess) of a large, very security conscious company.
Of course, no machine had USB ports or CD drives (not that CD drives could have allowed any software to leave the machine, but hey), nothing you could plug on parallel ports or serial ones, no floppy drives, no nothing. No way to plug anything into those machines that could remotely be used to transfer any data out of them.
But of course, some people are more important than others, and some people have privileges. Needed or not. One department head needed to be able to use USB drives. It was actually a fairly level headed person and he was quite security conscious, was aware of the risks and able to handle it, and given enough pressure on the CEO he was finally allowed to use USB drives. This was actually still a fairly acceptable move. It was necessary for him and did increase his ability to work well and efficiently, and he could handle the additional responsibility and the risk was manageable and low enough to be acceptable.
But then the invariable laws of the office privilege and status bullshittery set in. Because it is impossible that Department Head A gets something and Dufus B doesn't. I guess it's not hard to guess what happened next. Of course, all managers on this level had to be allowed to use USB drives, need them or not. And this was NOT acceptable anymore. Some of them were too dumb to actually plug an USB drive into their machine without causing a repair incident. But they had to get it, need it or not, but it's simply impossible that one of them gets a privilege and the others don't.
So do not fear, people. Sooner or later this rule will be softened up and erode away because some people will have to have "privileges". Without being able to handle them.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Bit of an honest question really.
If I log onto my online email, its an ssh site. So what's there to stop me shoving the stuff in an encrypted and compressed file - and then sending it as an email. If they're sniffing the packets they'll only get garbage. If I create an email address just for this - its pretty hard to trace I would expect.
Hell, doesn't even need to be email (although its the simplest way to cover tracks) - what's to stop me sending it over any sort of encrypted network?
I'm a little confused by this "news". I spent the last six years in the submarine force and this was already a rule. No USB drives or personal CDs were allowed on any classified systems. Maybe the announcement is intended to inform people they're actually going to start enforcing the rule. I dunno.
Has there ever been an explanation of what all the diplomatic traffic was doing going through the pentagon? Wouldn't separate channels, and perhaps distinct cryptology, whose individual security is checked and tested by the NSA be more secure in any-case?
The CyberPolice will backtrace you, and consequences will never be the same!
The Pentagon had to ban USB sticks, et al, internally after the biggest single security breach caused by a virus passed around and brought onto the secure SIPRNET within the Pentagon itself. It's unclear to me if the problem was the virus relaying secret information off the secure network, or what, but apparently it was labelled the single biggest security breach by the Pentagon and they're unlikely to be overplaying security holes.
Mind you, NASA has just released secret information into the public domain by selling hard drives known in advance to contain secret information. These are drives that FAILED in-house auditing for such stuff. And prior to that, disk drives containing blueprints for the current generation of super stealth fighters were sold by Lockheed-Martin to Iran. (And people think Wikileaks did bad stuff?!?!?!?! How the hell does a bunch of personal opinions compare with giving a terrorist-funding nation plans for the top US fighters? Internal to Iran, there's the possibility they will find a weakness. Think Death Star plans. Think the Stealth Fighter shot down in Serbia. Yes, the Serbians blew up one of America's best planes, and with a cruddy cheap missile at that. On an international level, the Russians will doubtless use the plans to improve on their own airfoils and may be able to exploit the design to improve on whatever shape-based stealth they've developed so far.)
Add to that that NASA servers have been hacked in the past to turn them into file-sharing sites. Which means that whatever classified files were in those exposed directories have been shared as well. Quite plausibly these files were protected by DES only, not triple DES or AES, as "commercially sensitive" data is classified below secret and certainly only used basic DES up until a couple of years before that breech was discovered.
Then, back in the 90s, there was a breech at the Pentagon due to computers containing classified information being on the public Internet and having .hosts files. (NASA used .hosts files and rsh well into the current millenium and may well still do so.)
That's four Bloody Obvious horses, with gold bridles and gem-encrusted saddles, that have walked out and were only noticed after they kicked the door down at the stablemaster's house. There may be others.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
My company has all storage options on USB shut off. I mean I know how to get around it, but it shouldn't be hard to figure out.
The security they had was poor because of incompetence, the same incompetence will "secure" it again. Will it work? ;-)
This isn't even really secure information and its extremely likely spies have always had this level of access. What I'd love to know is how secure the actually secure or extremely secure information is... and how easily accessed that is by foreign governments (and future internet leaks as the US government falls deeper into the authoritarian black hole.)
Democracy Now! - uncensored, anti-establishment news
USB watches are available. http://www.thinkgeek.com/gadgets/watches/9771/
Fight Spammers!
Just ban the users! Ok, I'll go now...
Something about this whole affair is bugging the crap out of me.
The messages prior to 1997 are all uppercase, and in the proper JANAP-128 format. They all pass the "sniff test" to me, but what don't pass the sniff test Manning. He could've had acces to the copter video, that'd be out and about. But where the heck is he supposed to be getting cables from the 60's and 70's??? That stuff don't normally get put up on the SIPRnet, it's kept on microfiche in archives.
This smells like someone old. Somene who's been on the inside for a very long time, collecting skeletons, putting everything in electronic format waiting for the right moment to open the door from a safe distance and let it all out. Waiting for the right medium (wikileaks), the right person to make an opening (Manning) and then take all the heat (Assange).
This feels like someone's very old archive. It don't feel like the work of one stupid kid.
....we haven't been allowed to use thumbdrives and such, like, forever......
Sic gorgiamus allos subjectatos nunc
It's great that they finally figured out that letting employees write secret data to a storage device is a security risk, but are they also auditing outbound communication? Will they notice if an employee emails the data to his Gmail account? Or deposits it on some hacked server somewhere? Will they notice it if he uses steganography to hide it in other data?
Or maybe he'll use a program that converts the data to visible data that can be recorded by a camera (sure sure, cameras are against regulations, but stealing data is against regulations too...if he's a determined data thief, cameras can be hidden in all sorts of objects and body cavities). For example, a QR code can hold 4KB of alphanumeric data. If someone writes a program that displays 15 frames/second of QR encoded data and records it with a camera, that's 200MB of data every hour.
If he's patient, he can record it as a 2400 baud data stream and record it on his MP3 player - he can steal around 10MB/hour using this method.
Or maybe he can record it as a bit patter on a laser printer - if he can write at 100dpi reliably, thats around 100KB per piece of paper. If that can be stretched to 500dpi he'll get around 2MB per piece of paper, and will look like a grey piece of paper to the naked eye so security won't pay any attention "Oh that, it's scrap paper I'm taking home to my kids".
How will he get such a data theft program onto the computer? Simple -- if he can't download it off the internet (perhaps a "gif" that just needs the first 128 bytes stripped off to make it an executable), he can plug in a USB keyboard dongle that acts as a keyboard and then let it type in the program for him.
How secure *is* our secret data? Hopefully banning USB drives is just one layer and they are taking greater steps to securing who has access to such data.
I've worked at several different banks that had software in place to disable the USB ports to prevent this exact sort of thing from happening. In one case they built the software in house so that certain USB devices that were issued by the firm could be unlocked, but nothing else. CD writers, if available on the host, were also locked down by the software and could only be used with prior approval. From what I know of the banking industry, this is pretty standard practice.
But computers holding sensitive government data don't even have that level of security?
Some people have photographic memories. Will you ban them from looking at the screen?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
But then the invariable laws of the office privilege and status bullshittery set in. Because it is impossible that Department Head A gets something and Dufus B doesn't.
The whole concept of, "If I make an exception to the rules for you, I will have to do it for everyone" is such bullshit - both as an excuse not to make an exception and as a justification to do it for everyone else. Management like that might as well be replaced by a robot for all the value they add.
When information is power, privacy is freedom.
Am I missing something?
Now I realize there are probably many different configurations for workstations and such, but why is THIS not the point at which leaks are stopped?
Order and implement workstations/terminals/laptops that simply do not have CD/DVD drives OR USB DRIVE PORTS installed. You know, no ports or drives to plug anything into? Short of photographing the image on a monitor, doesn't this pretty much rule out digital transfer of data?
I've seen pictures online (some random image pack on Cryptome, me thinks) of things like a field tent set up with tables in a row and laptop after laptop all networked(you could see the cables), each with a soldier happily going about what appears to be personal activities (a PS2 gaming controller isn't milspec, is it?). If these same machines are being used for OFFICIAL use, no fucking wonder they have problems.
The other possibility is that the whole institution will become increasingly paralyzed and unable to accomplish anything. Unlike a company, the armed forces can't actually go bankrupt. The USB ban and similar issues are already a problem for the Air Force.
The military slaughtered innocent people and covered it up. That was the reason for the leak, to shine a light on wrong doing. To prevent a future leak the military should also own up to it's mistakes and not cover up innocent accidental deaths in future. That would do more to prevent future leaks than any amount of security.
But then the invariable laws of the office privilege and status bullshittery set in. Because it is impossible that Department Head A gets something and Dufus B doesn't.
The whole concept of, "If I make an exception to the rules for you, I will have to do it for everyone" is such bullshit - both as an excuse not to make an exception and as a justification to do it for everyone else. Management like that might as well be replaced by a robot for all the value they add.
You have clearly never been a manager.
XML is a known as a key material required to create SMD: Software of Mass Destruction
1) Physically hide away the computer casing, so that no I/O ports can't be accessed by the user.
2) Leave a 'reception' where legitimate users, with the help of a commanding officer, can upload data to a removable media upon approval.
3) Create a special purpose folder on the network that is visible to the user, and the person administrating removable devices.
This way, no data can leave the network without some commanding officer approving it.
I've had a number of thought experiments with colleagues over the years as to how you could circumvent something like this and there are many, many ways to get data off a machine. Take in a pair of headphones with a small recording device (e.g. a nano) and write a few lines to script to turn your files into modem tones. Or watermark the screen using an algorithm that's not visible to the naked eye and take a photo with your iPhone. Or embed confidential data into non-confidential data by encoding it into the punctuation characters. Heck, I've even heard of people tapping into the blinking lights on the wifi port.
You have clearly never been a manager.
First rule of good management - Don't do something stupid just because its written down.
What about punch cards? :P
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
This action by the US Government is a clear win for Wikileaks. It is EXACTLY what Wikileaks intends for its targets to do. Wikileaks's clear publicly-stated goal is for secretive corporate and government "conspiracies" to react to leaking by restricting internal communications. http://zunguzungu.wordpress.com/2010/11/29/julian-assange-and-the-computer-conspiracy-%E2%80%9Cto-destroy-this-invisible-government%E2%80%9D/
Just under 1300 cables have been published; all 250,000 have most definitely NOT been published. They're being released in dribs and drabs. Source: http://213.251.145.96/cablegate.html
Why so many on /. seems to want to help this dark part of government keep their treasonous, oath breaking secrets. If it was nuke secrets that's one thing, but these are crimes hidden behind state secrets. Anyone who's ran a network in the past 15 years knows how to fix the security side of this, the question is, what about the oath breaking scum running our government which this has exposed. What punishment for them? For god sakes they are hiding treason, and crimes behind state secrets. Doesn't anyone have a problem with this? It's no wonder the US Constitution is intermittent, nobody will *****ng defend it!
(this comment has no love /hate reflection on /. it's the posters motive I question.)
usb sticks have been illegal in the us military for over a year. and they've been quite serious about enforcement. removable media control isn't new because of wikileaks, although prohibition of dvds/cds are probably a direct result.
IMO the date they started the no-usb-stick policy seems to be suspiciously close to the date when stuxnet was supposed to have started taking root in iran.
I worked in a defense contractor in 1989. Even back then we were forbidden to:
- bring a camera to work.
- have floppy drives working on any computer
- have printers connected to any PC - printouts had to be sent to a special room.
- use any kind of portable media (parallel port tape drives, etc).
Of course, all our systems were on a private network - no internet access at all. Part of my job was to introduce software and tools into the network when formally requested - lots of paperwork. That's how compilers and 3rd party libraries were brought inside.
IBM made desktops with locked sliders to prevent access to the floppy drives. I'd be shocked if those weren't still manufactured.
Anyway - this has been solved, just forgotten.
BTW, have you ever wondered why at least 1 Blackberry didn't have a camera? DoD users.
Never will stop leaks and this crap just makes working in a secure environment very hard. But that's just my opinion.
Believe it or don't. In 2006 I was an Air Force IA contractor; and, to my knowledge, I was the first to explicitly warn the Air Force and DISA about thumb USB drives and the vulnerability of DoD's information systems to this type of attack vector. They rejected my security clearance and fired me.
1. Your monitor is at 60 hz, so flash your text or encoded bits on the screen at 30fps, and record it with your iphone HD recorder. High quality mode, or use someother small HD camera that uses little compression.
2. Encode your documents into an audio streamed 6bit/sample with ECC. Hit play and record using your analgoue or no compression digital recorder via the Audio Out jack. This will require some small code in VB you can type in either by memory or from paper/iphone.
If you have a monitor or audio out jack, theres your output jacks.
Liberty freedom are no1, not dicks in suits.
Perhaps they need to address how everyone and their mother has OFFICIAL access to "secret" level documents.
Why not include a rights and access management feature to a modified open-source ReiserFS file system, With the added benefit of a auto self-destruct mechanism via some mechanism that would corrupt the index file thus rendering any and all data un-usable and almost completely unrecoverable. This would probably be one of the more logical methods to keep something like this ever happening again, i may not understand how things operate in a government/federal situation but then you also have the fundamental aspect concerning ethics that from my understanding is part of the uniform code of ethics. Mr manning broke the law, and their are consequence for that action. But one must ask himself how could he have bypassed current security procedures lest "duh duh duh pending conspiracy theory" someone higher up wanted the leak to occur? Could this be a plausible scape goat to keep the sheeple distracted from the real criminals and throw mr assange and manning in the clink for mere ridiculous technicality's. Wake up folks and stop relying on technology to resolve social and societal conditioning.
But yeah, banning removable media is also good...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
You'd think geeks would get the details right: 250,000 cables have NOT been published. Barely over a thousand have been. Yet this dweeb and the entire American MSM spouts about a quarter million cables published. Has idiocy become so enshrined that slashdot editors now bow to it, too? Are there any adults in charge anymore?
Development is programmable; Discovery is not programmable. (Fuller)
Because using a pencam to record images of the screen of a computer showing "classified" information would be wrong. Wrong! I urge people to not do this, and to not pass the information along to an organization (like Wikileaks or Openleaks, for instance) which would disseminate the information. You're naughty for even considering it.
I would also advise against using Bluetooth dongles and cellphones to transfer information off such computers. This would also be bad. Very, very bad. Don't even think about doing it. Don't try wireless USB either, when it's available to you. USB 802.11x adapters would be a bad idea, as well.
If you do these things, you are a horrible person, and I hope you're eaten by rabid cats.
Sincerely,
Anonymous
This supposedly secure system shouldn't be letting you suck 250,000 files out of it without some kind of flags being triggered or a higher access required. Really, why would you need to access all of the files? And if you were doing some kind of automated analysis you should need clearance for that and permission and be monitored to make sure you don't abuse the access.
I've been trying to figure this out for a while now: why is there so much fuss about leaked diplomatic cables in the first place? How does anyone know they're authentic? Why isn't the US government simply stating that none of them are real? I naturally distrust and am suspicious of my government as I know what sort of low-life scum it accretes to itself, but I also am inherently distrustful of private individuals who may possibly have their own agenda. Are these cables somehow signed with a PGP key that can be used to positively identify the origin? Can these messages not be faked? Also again, how the hell does some low-level twerp get his hands on ANY of these alleged sensitive communiques? Lastly, why does the government not simply send a lot of bogus traffic around, as sort of a reverse "I am Spartacus!" maneuver, in which there are whole messages which are essentially nulls, burying the real messages in a sea of BS?
Long live uuencode!
If you don't get this you'd better off browsing barbie.com.
I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
He's in jail because the first rule of spy club is you don't talk about spy club. If he'd kept his mouth shut about what he'd done, he'd probably never have been caught. Possibly, but probably not.
I work in a fairly small and relaxed business, and even there only the people that are trusted to burn client data to disc have DVD burners. There's always the USB device angle but less relaxed businesses (eg. a legal firm a friend works for) put epoxy in the USB ports of most machines.
We're seeing a failure at many levels - why did Manning have access to so much stuff anyway let alone be able to get it onto a device and get it out of the building? Apparently any of three million people could potentially have done the same thing. We can be pretty certain that even small countries with very little effort put into intelligence gathering already have all of this stuff. Somebody sympathetic to the Saudis probably got it all out years ago then somebody sympathetic to Bin Laden may have passed it on long before Manning got hold of it.
No, it's a matter of changing the rules for good reason. Some managers just don't grow up and are jealous of extra "privilege" and do not understand that even the janitor has keys to get into more areas than they do simply because of different responsibilities.
It's like the creeping desire of office workers in fixed locations to have laptops because they see high status management that travel a lot with them and entirely miss the "travel a lot" point.
How does anyone know they're authentic? Why isn't the US government simply stating that none of them are real?
There are simply too many of them to be easily faked in a convincing way. Even the ones that have been made public. And of course the US government cannot reasonably claim at the same time that they are fake and that they are endangering US interests. (Not that governments are always reasonable in matters like this.)
Lastly, why does the government not simply send a lot of bogus traffic around, as sort of a reverse "I am Spartacus!" maneuver, in which there are whole messages which are essentially nulls, burying the real messages in a sea of BS?
I'm not entirely sure what you propose, but I don't see how this could work. The leaked set of messages is fixed, so adding nonsense to the set won't work. The Pakistani secret service has planted negative stories about India in Pakistani newspapers supposedly based on leaked cables. That was quickly debunked, though, again because the supposed quotes were not found in the real leaked messages. I don't see how anyone else could be more effective with such a tactic.
No, it's a matter of changing the rules for good reason.
We seem to be in agreement. My point is that managers who refuse to manage the exceptions in favor of rigidly conforming to simplistic policies aren't managing at all.
When information is power, privacy is freedom.
As i understand it, "leaking information to third parties" was already banned, so anyone looking to do that is already breaking the rules wether they use removable media, steal the internal hard drive, transfer data out over the network, take photographs of the screen or even just print it out...
Banning the use of removable media just makes life harder for those people who do want to play by the rules and do their job efficiently. People who want to steal data will just find a different way to do it.
And this assumes they enforce the banning of removable media effectively, most deployments i saw just had a program running designed to disallow you access to removable media devices, but if you can make this program crash then everything opens up.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
It's not a "concept", as much as it's human nature. Don't ask me, I never understood humans, but it seems that they get irate if someone has something they don't have, no matter whether they need it or not. It's that odd mix of greed and envy.
The most ludicrous things happen should a "subordinate" need something "bigger, better, faster, more" to do his job than his superior. Like, say, I need a faster computer to program, compile and draw charts than my boss, who does, at best, read emails with his machine. If you have a smart boss (like I had at that time), you can actually turn those office floor alpha male bull around in your favor.
My boss ordered a new machine for me, which was required and the beancounters approved because it was simply necessary. But in turn, his machine would have been inferior, so it was simply unacceptable (at least according to the management droids) to just drop a "good" machine (read: a tenth of what I'd need but twice of what the beancounters would spit out without throwing a tantrum) on me and have my boss suffer from using a machine not superior to mine. I was wondering at that time why my boss was chiming in and ranting how it is inexcusable, usually he was a pretty level headed guy and not playing the office floor alpha male game. And he didn't really need his machine for anything but emails and managing appointments.
When our new boxes got delivered, he took "mine" and gave me "his", mentioning something along the lines of this being the only way to get me a sensible machine.
No, he didn't know much about computers or what our department actually did (i.e. produce software), but boy, he was great at playing the office games! I miss him.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Try, just try, to show a mid level manager why that dorky computer geek needs higher privileges on "his" (the manager's) machine than the manager himself gets. And now convince him that ISO 2700x demands that.
From a sensible point of view, the last thing I want is higher privs on a work machine than I absolutely have to have. For more than one reason. First, it takes away the convenient "can't do that, don't have the privs" excuse whenever I don't want to do something. Lame excuse, granted, but it gives you a good reason to take a trip to the water cooler and let the computer geek do the installation (and be responsible for it when (not if, WHEN) it fucks something up). If you have the privs to install stuff on your machine, you may rest assured that you will be forced to learn how to maintain it because you will be expected to install patches and new software because "you can do it, so you can do it".
Dear managers, do you REALLY want that? Hmm?
And second, the even more important reason why you do NOT want more privileges than absolutely necessary: Responsibility. When (not if, WHEN) something blows up, you can just toss you hands up and say "I didn't do it! See, I COULDN'T do it, don't have the privs, don't look at me, can't help you solve it either 'cause I don't have the privs, guess you don't mind if I leave early today 'cause I can't do jack anyway. Have a nice one, see ya tomorrow!"
And now explain again WHY you want more privileges than absolutely necessary!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The problem is that most managers, especially in mid-level positions, are not really deserving the title "manager". They're not managing. They're executing.
Managing entails some sort of decision making. Defining something, acquiring the resources necessary (material and personnel) to achieve this something and distributing them, solving logistics problems... in short "managing their resources" to achieve a goal.
That's usually not what mid-level management does. In most companies, they don't decide jack. They get their resources (material and personnel) dumped on them, they get a target to achieve and they often even get the full detailed plan how to get there. In short, they're supervisors, and often not even that, given that often they don't even know what the people they're supposedly supervising are actually doing.
Such "managers" cannot even make exceptions to make things run more smoothly, they don't have the freedom to do that.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
We've got a lot of that going on in my company. It is going to such an extend that I am leaving the company because of it.
Currently I'm locked in a Software Engineering position (by my own consent, I like designing / help create software). Although I have been part of international standardization, I've been to many sites of companies that create products for us, and have been a driving force in getting common criteria certification, I'm still seen as "just a developer". This goes to such an extend that I cannot perform my work in any satisfactory way.
People are different, and they have different needs. I'm not against anybody getting additional hardware or other privileges as long as they are required for him to do his job right, even if they hold the "same position" that I'm in. And the reason to put "same position" between quotation marks is obvious: they are *NOT* in the same position, even if they have the same job title.
I'll try and go to a company that sees what people for what they are and try to get the best out of them instead of putting them down. And don't say these companies are not to be found - they are out there (Google comes to mind, this seems to me the main reason that they are so looked for for job positions).
Wikileaks calls US Government douchebags ! News at 11, where permitted.
$29.99 and it's yours.
of course they triggered an alarm, and the conclusion is that these 250,000 files were *allowed* to be sucked out. Think about it.
...only outlaws will have flash drives. After all, if you're going to leak sensitive information, and you get caught, you're going to get much worse than a court-martial. I think the directive will end up doing more harm than good.
The summary mentions the "recent publication of more than 250,000 diplomatic cables". This is a falsehood that keeps circulating. As of this moment, Wikileaks has published only 1295 of these cables, and I believe nearly all of these are published in the redacted form that has already been made public by cooperating news organizations such as NYT, Guardian, Der Speigel, etc. Glenn Greenwald at Salon seems to be the best source of reasonable reporting about this whole WikLeaks witch hunt: http://www.salon.com/news/opinion/glenn_greenwald/index.html It would be great if the /. editors would correct this misstatement in the story summary.
NSA publications expressly prohibit the capability to transfer files to insecure formats.
Citation needed.
In my experience, the NSA, DoD, and friends rely much more on physical and personnel controls. A system assumes the highest classification of any information on it. A writable medium mounted on a classified system assumes the classification of the system. If you've got a security clearance, you're expected to protect such media as any other classified information. The regulations very rarely dictate anything about file formats or access control, beyond protecting the authentication and audit subsystems of the system itself.
Now, whether they *should* worry about that kind of thing is another story. Certainly, for selected programs, much stricter requirements tend to be imposed on things like removable media, and that's a good thing for data security. But those are technically imposed at the local level, not from official regulations.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
All you need is an ability to execute a personal program and record the result -- with a mobile phone, perhaps?
In fact, I think modern phones are quite capable of running OCR live...
floppy disk drive be removed. And off the network.
I think you'll find that was a requirement for any system to be C2-certified - it was part of the spec.
Not really.
You can't certify an operating system by itself. Only a whole system -- hardware, software, configuration, *and* your plan and procedures for keeping it secure. So Microsoft never "got Windows NT" certified, because that simply isn't possible.
I suspect what Microsoft did was publish a set of guidelines to help one configure an NT box to help you meet NSA Orange Book guidelines. (MSFT publishes similar guidelines today, for newer regulations.) Microsoft advised to disconnect the floppy drive because if you can boot from floppy you can bypass the OS. Disabling things in the BIOS would also work, but back in 1995 many computers (especially IBM's) didn't have that option.
I don't know why MSFT didn't cover network security. Possibly it was just beyond the project's approved scope, possibly no one was asking (in 1995, classified PC networks were much more rare), maybe they couldn't do it, who knows?
It is true the Orange Book (which defined the divisions and classes, like C1) doesn't address networks at all. But it doesn't disallow them, per se. Again, the entire configuration has to be certified as a whole. If you want a network, then all computers on the network, and the network itself, have to be considered part of the system, and certified together. The NSA Red Book got into network security, but really didn't make things much different.
I'm given to understand that the Common Criteria (which replaced the NSA Rainbow Books) allow for more flexibility, which is how the SIPRNET exists at all. In the spaces I've played, though, they still use the "certify the network as a whole" approach. It's certainly easier to secure that way. An air gap is the best firewall.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
You're not supposed to have phones in classified facilities. That, along with all removable media shall not leave the facility, is a policy.
There's no government-wide rule that says you cannot have a mobile phone in a classified facility. Such rules are often enacted, but that's at the local security plan level, not official regulation.
The rules for Sensitive Compartmented Information or Special Access Programs are stricter. In a SCI or SAP Facility, phones and personal electronic devices are prohibited by the governing regulations. Additionally, strong controls on media use, both procedural and computer-enforced, are often enacted at the local level. But SIPRNET and SCI/SAP are basically antithetical to each other, so it's kind of moot for this WikiLeaks scenario.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Thank god they didn't ban floppy disks.
You laugh, but floppy diskettes still see a lot of use in classified environments precisely because they're still allowed. HHOS.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
I really dont get this, my employer is a bank with much less resources available to it (both financial, and intellectual) when compared to US Military and Intelligence organizations.
Yet, they have disabled ALL USB mass storage profiles, and CD/DVD write capabilities on all machines in the enterprise. Computers still have USB, and DVD burners, they just dont work for saving data.
All emails are scanned, 1 guy got fired for mailing sensitive information to his private email account as that was the only way he could free it from the Corp network.
Pretty stupid I know, maybe he can get a job with the Army.
I'm not an Info Sec specialist, but I would think this is a straight forward, "first pass" kinda thing.
Looks like these guys fight data leakage as well as they fight terrorists
When will they stop treating the symptoms and finally outlaw that PHqing Toy OS on ANY machine ?
What I find hilarious is that SIPRNET keeps coming up in this story... yet, the cables released are classified Top Secret and higher. Anyone in this field knows that's not possible so... is this just a mix up by the press? Did anyone (official) announce this young soldier had access to JWICS (or equiv.)?
Back in the 1980s, a popular toy was the Furby. The fun part was that you could "teach" it to talk. It listened and then parroted back what it heard. A dad, who worked in a classified area, was given one as a present by one of his children. He put it on his desk at work. As time went by, the stupid thing "learned" from discussions and phone calls and repeated what it had learned at an inopportune time -- when the boss was walking by. Shortly thereafter, a directive cam out banning Furbies from classified areas. At least that's how the story goes.
I take it they are going to disable USB and CD/DVD-ROMS at the hardware level, and also physically remove those interfaces from the motherboards/casesthemselves? Considering how many devices have internal memory, anything can be a thumb drive. Ipod, Iphone, watch, you name it. All you have to do is plug it in. USB is so ubik as well, that I don't think someone experienced in this sort of thing will have much trouble turning it back on if disabled. Reboot-bios-on. It will prevent the casual and retarded I suppose, which is likely the larger danger.
Now the military could design their own motherboards, custom bios and their own proprietary data transfer interface, making it incompatible with anything else, which would at least force someone to reverse engineer it first. Of course that would cost millions no doubt, and some jerk would likely break it in a week.
I mean come on, network admin 101 clearly says, if you want no leaks, then disable all your io ports from output, seems easy enough to follow, so if you want the military admin to be as smart as a regular admin, you have to clearly break into their system, and leave traces easy to find so that they can then deduce that this mentality actually applies to them as well.....???
and, God-forbid, not implementing stupid policies that are morally questionable. Assenge noted in an interview that the purpose of Wikileaks wasn't to start a revolution but to make it easier for (morally)good companies to do business and to make it harder for (morally) bad companies to do business. The same could be said for government. Hire a trustworthy+competent staff don't be a jackass and you'll be less of a target, or at least implement fewer inane 'security' measures.
"Those who have nothing aweful to hide, have nothing to fear"
Hey, Mr. Government, how does it feel to be on the receiving side of your number one argument in favour of privacy violations ?
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
The public knows they were getting smoke blown up their ass, and they wanted the truth. So, they found it. The military is creating a market for the truth by keeping it from us.
In this day and age, if you deprive people of information, they're only going to want it more.
in other words, you're turning the government's favourite pro-privacy-invasion mantra ("those who have nothing to hide have nothing to hide") against themeselves.
nice job !
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
There's nothing mandating TCB B3 for collateral SECRET in any DOD issuance I'm familiar with. B3 was pretty hard to get; it's most definitely more than EAL4. I can't say for sure the DOD has never issued anything mandating EAL4 for SECRET, but if they have they've never flowed the requirement to the regulations I work under.
Many of the standards you list specify do not address applicability or mandate implementation. They are a framework, a mechanism -- they are not policy. The fact that something is a Federal standard doesn't mean it is a *mandatory* standard. Thee are tons of things standardized for agencies who *elect* to employ something.
Further, the DOD is largely its own beast. FIPS is for civilian Federal agencies; it and other NIST issuances generally don't have jurisdiction over DOD. FISMA (the law that gives force to things like FIPS 200) explicitly exempts DOD, NSA, and other "national security" systems. The DOD adopts a lot of that stuff anyway, but it's their option.
If there isn't a DOD Directive, Instruction, Manual, etc., that says "All DoD commands shall do XYZ", there's little to no real force behind it, as far as DOD goes.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.