Russian Hackers Exploited Kaspersky Antivirus To Steal NSA Data on US Cyber Defense: WSJ

An NSA contractor brought home highly classified documents that detailed how the U.S. penetrates foreign computer networks and defends against cyberattacks. The contractor used Kaspersky antivirus on his home computer, which hackers working for the Russian government exploited to steal the documents, the WSJ reported on Thursday (the link could be paywalled; alternative source), citing multiple people with knowledge of the matter. From the report: The hackers appear to have targeted the contractor after identifying the files through the contractor's use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said. The theft, which hasn't been disclosed, is considered by experts to be one of the most significant security breaches in recent years. It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S. The incident occurred in 2015 but wasn't discovered until spring of last year, said the people familiar with the matter. Having such information could give the Russian government information on how to protect its own networks, making it more difficult for the NSA to conduct its work. It also could give the Russians methods to infiltrate the networks of the U.S. and other nations, these people said. Ahead of the publication of WSJ report, Kaspersky founder Eugene Kaspersky tweeted, "New conspiracy theory, anon sources media story coming. Note we make no apologies for being aggressive in the battle against cyberthreats."

LOL

[Aighearach]

OK fanboys, I've got the popcorn out, what is your new excuse why they should still be trusted? The nonsense people said last week was so rich, I'm waiting for it to grow even more absurd today as the cognitive dissonance builds and blinds them to the quality of their arguments.

Re:LOL

[Tablizer]

your new excuse [defense?]

Simple, Ruskies probably did the same to the OTHER antivirus co's. We just haven't heard about it yet.

Doesn't mean K is good, just that like the telecoms, their competition also sucks. In the land of D-minuses, D is king.

Re:LOL

According to the summary, an anti-virus product helped to protect against cyberattacks. Meanwhile, certain foreign govermnent-sponsored hackers are complaining that some of their victims may now be able to defend themselves against some of their cyberattacks. This poses no additional risk to citizens of the U.S. unless the NSA chooses to withhold information about the exploits that they had been using.

Why who should be trusted, by the way? Were you addressing fanboys of the WSJ, the NSA, Kaspersky Lab, or those hackers who hacked the other hackers?

Re:LOL

[DivineKnight]

Russian hackers / {crackers}? Your guess is as good as mine. Though they are pretty good at cracking DRM on video games, etc. I think I'm supposed to post something like: ----===Greetz Fr0m Raz0r 1911 to all the crews===----...

Oh wait, you meant Kaspersky. Still looking for some evidence there...I mean, they are Russian (I think?), but that's purely beyond their control (they were born that way).

Now, why the contractor was using last year's antiviral / anti-malware solution? Questions should be asked. I could double-check the leaked Panama Papers, but I thought BitDefender...and one other, someone remind me, was this year's hotness. Unless that's what the CIA / NSA wants us to think (puts on tin foil hat).

 

Re:LOL

[gweihir]

Stupid is stupid and no way around that. But do enjoy your popcorn, that seems to be right down your alley. difficulty wise. But I would advise you to stay away from anything mentally more tasking.

Incidentally, you are being stupid by believing Kaspersky is any less trustworthy than their competitors.

Re:LOL

whatever you say, Ivan.

Re:LOL

[swb]

I'm willing to buy the argument that they were more easily exploitable because of their domestic Russian base -- that means vulnerable humans who can turned through the usual apparatus of spycraft and domestic security services, as well as increased general vulnerability because of their geographic location.

That being said, I think any software producer whose products are expected to run at "ring zero" of security should be thought of as vulnerable, regardless of where they are based. I'm sure the intelligence services and security services long ago made the conceptual leap that these were vulnerable targets that would give them direct entry into high value targets due to the nature of their functional security requirements.

I think the chain of trust anymore is pretty much broken and it's not really very paranoid to consider anything secure.

Re:LOL

[viperidaenz]

Last year's antivirus? This happened two years ago.

Re:LOL

[Bert64]

Russia has one antivirus vendor they can leverage...
The NSA has several, as well as OS vendors and many other software vendors...

I'm sure the russians are making use of any situation which is to their advantage, but it's naive to think the NSA and other intelligence agencies aren't doing exactly the same.

Re:LOL

[Aighearach]

Or as they say in my country, "SQUIRREL!"

I'm not really that interested in network squirrels, or even urban squirrels.

Re:LOL

[Aighearach]

Your response is literal FUD. You do understand that, right?

Re:LOL

[JohnFen]

There's an old truism when it comes to security: the moment that you feel secure is the moment when you are the most vulnerable.

No defense is impenetrable, and if you feel that yours are, it's very easy to overlook red flags that you've been penetrated.

Re:LOL

[Aighearach]

Calling me names won't change the situation in any meaningful way.

Re:LOL

[Aighearach]

Absolutely! Trust no one!

On linux when we run virus scanners for whatever reason, we run them in userspace.

That said, if you're on a system that needs active protection from virus scanners, then avoiding the vendors with an enhanced risk profile seems obvious. You have to trust somebody in that situation, but yeah, don't trust them very much; be ready to change later when somebody else appears to be the least risky, because it changes over time.

And avoid vendors outside your own country or allied countries. Obviously, because security products might all be tainted. The risk profile is not all equal. If you're in a place with no effective legal protections against your own government, then it doesn't matter what products you use you never had any computer security and never thought you did. If you live in a country with any significant level of citizen rights, then your domestic or allied security services are not threatening in the same ways that foreign ones are; and that remains true even when you have privacy or other civics complaints about the system.

Re:LOL

[Aighearach]

Right, but that in no way implies that avoiding increased risks means you must be trusting something. You can be distrusting in general, and still be certain that some things can't be trusted.

No defense is impenetrable. Yet use of purported defenses with conflicts of interest is itself a red flag.

Re: LOL

[poity]

No one is making the claim that you should blindly trust the tribe on the other side of the mountain, but that those who allege that the current chief is the product, or even a pawn, of that other tribe need to have more evidence besides pointing to some wooden signs along the river.

Re:LOL

Proof. I don't know what nonsense was said last week, nor do I like Kaspersky, but there is nothing here except vapid arguments that smell really bad. This is an example of WSJ peddling "conspiracy theory" and "anon sources" (I use Kaspersky's words), and I'm not that surprised people are falling for it. Disinformation campaigns have worked for both the US and the Russians.

Note that I'm specifically _not_ defending Kaspersky here, I'm attacking the WSJ as untrustworthy and mouthpieces for the US government.

Re:LOL

[Pinky's+Brain]

The NSA could trivially show proof of a backdoor or sidechannel in a two year old PUBLIC binary without exposing any secrets. If it was there they'd show it.

Ipso facto, it's not there ... fake news.

Re:LOL

[gweihir]

Indeed. It will not make you any less of an idiot.

Re:LOL

[VeryFluffyBunny]

It's not surprising that US media is singling out anything Russian for criticism. Remember when the French wouldn't support the US' 2003 invasion of Iraq? All of a sudden we had "freedom fries" and the bad guys in Hollywood movies spoke with crappy French accents for a few years after. Now it's Russia's turn because the middle classes are pissed off at the working classes for voting in Trump. USA, grow up and take responsibility for your electoral choices. Russia didn't elect Trump, you did!
BTW, I remember looking into the efficacy of anti-virus software and finding out that in independent tests, the best one of the day only caught 85% of malware attacks. Then, there's the more recent stories of various well-known anti-virus software itself being vulnerable to attacks.

Re:LOL

[arth1]

As a former antivirus author, I suggest a third alternative:
Don't trust your computer to any antivirus. You give these programs full access to your machine, and they become an attack vector as well as slowing down the machine.
And it's not like they are going to stop zero day attacks anyhow, and that's the second biggest thing to worry about (after human gullibility).

Re:LOL

[arth1]

Absolutely! Trust no one!

Including the guy who says "Trust no one!", and including yourself.

Especially yourself. When it comes to security, the person in charge of a system or a network is its worst enemy.

Re:LOL

[dcw3]

So, why then is the Senate and DoD ready to ban them? Surely, they don't have an axe to grind for Trump's election.

Though, why would you spend U.S. tax dollars on a foreign product if there's a suitable product made at home?

Re: LOL

[dcw3]

When the other tribe has been your enemy for decades, you don't need more evidence to decide that it's more risky to buy products from them than your own tribe. It may or may not be fact based, but it's still prudent.

Re:LOL

[dcw3]

Nice hand waving. When has NSA ever publically announced any of it's findings? Get a clue.

Re: LOL

[Ol+Olsoc]

No one is making the claim that you should blindly trust the tribe on the other side of the mountain, but that those who allege that the current chief is the product, or even a pawn, of that other tribe need to have more evidence besides pointing to some wooden signs along the river.

Um no. You don't trust everyone you pick up for sex, even though they me be as disease free as Jeebuz and pure as the driven snow.

You wear that rubber because there are some folks out there who just might have an STD, and you don't say hey Russia hasn't been unequivocally proven beyond a shadow of a doubt in a court of law in every country before you decide that you might want to think about not using Kaspersky's AV software.

Re:LOL

[arth1]

Yes, with some simple precautions, you are reasonably safe.
- Do not browse porn or humor sites with flash enabled or without an adblocker.
- Do not open unsolicited e-mail attachments. Especially, don't treat the sender address as authentication - look for text that positively identifies that it's the real sender and why it was sent.
- If you get a suspicious pop-up, don't click its close button, because it could be a visual overlay for the "install" action. Use ALT-F4 to close the browser.
- If in Windows, go to Folder Options - View, and uncheck "Hide extensions for known file types". Then you will see that the attachment that looks like funnycat.jpg really is funnycat.jpg.exe

Thing is, even with antivirus installed, most new infections will go straight past the AV and infect your PC. The reason is of course that those who write malware test it against the AV software first, and make changes until it passes. Then they have several days until the AV software recognizes the change, and they make another permutation. The net effect is that the AV software will scan enormous and ever-growing lists of signatures, and slow your system down more and more, while all new malware still gets through.

An observant user, on the other hand, stops most new malware. Unless you're specifically targeted by a hacker, you're reasonably safe.

Re:LOL

[david_thornley]

Incidentally, you are being stupid by believing Kaspersky is any less trustworthy than their competitors.

Do you mean trustworthy as a general attribute (probably more or less true, none of them picked up the Sony rootkit), or trustworthy to anyone in particular? I wouldn't trust Kaspersky for an installation with US government secrets, but I trust it as much as any other AV on my computer. If I'm to have spyware on my computer, I'd prefer Russian to US, since the Russians have a lot less potential interest in what I do, and have far less ability to hassle me than US authorities.

Re:LOL

[david_thornley]

You left out:

- Do not browse sites with third-party ads with flash enabled or without an adblocker. My wife once got infected browsing the New York Times site, which fails badly to be either a porn or a humor site.

Re:LOL

[david_thornley]

I don't get your reasoning.

I do little to annoy Russia, other than posting opinions on sites they sometimes troll, and having a friend who's blocked from entering Russia. Russians really can't do all that much to me without considerable effort.

However, I normally have opinions that conflict with those of assorted government officials in the US, which gives them more reason to hassle me than any Russian official has. Moreover, it's not that difficult for a police officer or IRS auditor or some other official to give me a hard time. I don't expect to be picked on by government officials (I'm a male of northwestern European descent), but it's more of a concern than Russian intervention.

Re:LOL

[Aighearach]

That's where you're wrong, they sell access to you to criminal gangs, who steal your money.

Domestic criminals have a much harder time getting that data; it doesn't seem to be even on the market to buy access here. In Russia they openly sell access to p0wned systems from any country not a Russian ally; in the US there is no such mainstream market.

Yeah, if you're a criminal and you're in the US, then in that case you'd have a higher threat profile from the US government; but the vast majority of people worried about computer security are not criminals, but people trying to protect themselves against economic crime.

When foreign criminals steal your money, it is well and truly gone. When US criminals steal your money, it might be gone, or they might have had to do it in a way that the bank ends up taking the loss. When foreign hackers with national backing let their organized crime control your computer, instead of regular "identity theft" where you can prove it wasn't you and eventually get the debt cleared, they control your computer and take control of your banking and run off with your money in a way that you can't recover it.

People don't even understand what the threats are, and yet they're willing to argue about it anyways. Golly.

Re:LOL

[Aighearach]

Make Pancakes Tennis Again!

Re:LOL

[david_thornley]

Are you saying that it's likely that Kaspersky would be coerced by the Russian government into giving out information that they then sell to criminal gangs? Do you have evidence? It sounds far-fetched to me. If I'm going to worry about that possible breach of security, I have to worry about US AV companies, since some of them can get pretty shady, and any market in AV-generated information isn't going to be accessible only from Russia.

Re:LOL

[Aighearach]

I didn't say anything about trusting me, instead I expressed ideas that you can use or not. Making use of ideas requires first understanding them though.

What sort of nonsense would you have to be doing where trust of self would even come up as a security issue? Are you writing your own login code or something? Don't trust yourself, instead learn best practices about which parts to use stable libraries for.

Re:LOL

[arth1]

What sort of nonsense would you have to be doing where trust of self would even come up as a security issue?

Anyone who writes code, or configures a computer, or add firewall rules, or pick programs to install should question whether they trust themselves too much, and whether a second and third set of eyes would be useful.

We are easily blind to the problems we ourselves introduce, and tend to trust our own judgement without questioning. And when the brown stuff hits the rotating thing, the natural reaction is to place blame elsewhere, and forget that we shouldn't have trusted our own judgement.

Idiot Contractor

[DatbeDank]

The problem here isn't Kaspersky and Russian hackers, they're just being opportunistic.

The REAL problem here is a dumb @$$ contractor who stole classified information and brought it home.

Why isn't the contractor, both company and employee, being punished for breach of secure information? Any other countries' spooks would want this info, including our allies.

Ahh that's right, let's just take this as an opportunity to bash Russia some more while our real enemy China is cleaning out both our industrial trade and military secrets! /sarcasm

Re:Idiot Contractor

Do you have a copy of the terms of the contract that dictates what the contractor is and is not allowed to do? Can you provide information on relevant law governing information access? Can you cite what level of clearances are involved?

From TFA:

"An NSA contractor brought home highly classified documents that detailed how the U.S. penetrates foreign computer networks and defends against cyberattacks. The contractor used Kaspersky antivirus on his home computer...

As you can see in the above text, I've highlighted the areas that might help pull your head out of your ass.

"Home" computers are not something that is authorized for storing or transmitting highly classified information. Not to mention "home" building codes lacking SCIF-level TEMPEST protections. Regardless of my lack of access to specific contractual details, I'd say there's about a 0.0000001% chance that this bullshit was authorized in any way.

Re:Idiot Contractor

Sure, it's all spelled out in the NISPOM:
https://en.wikipedia.org/wiki/...

The most relevant section is Chapter 5:
http://www.dss.mil/documents/o...

Nobody can take classified material home, ever. Nobody can put classified material onto an unapproved computer, ever. These are not things that change from contract to contract.

Re:Idiot Contractor

[Gilgaron]

The terms of the contract can't violate federal law about classified material... the only question is if the contractor's training was deficient or if he willfully ignored the rules and laws.

Re:Idiot Contractor

[AutodidactLabrat]

It wasn't a crime
As Comey noted, all the Top Secret was from PUBLIC SOURCES (newspapers).
The mere fact it was in the public domain did not reduce the classification
That said, unless you can prove she KNEW it was classified material, from the PUBLIC SOURCES, no case, no crime

Re:Idiot Contractor

Not quite: If you are the recipient of classified information, marked or unmarked, emailed to you, you have a responsibility to report it. Not doing so is a violation - probably not a jailable violation, but your next security briefing would be uncomfortable to say the least, and you probably would be denied anything above flat SECRET clearance in the future. Back in my classified days, I once received (from a government lab employee) a series of SECRET, oh, lets call them numbers. The guy obviously didn't mark them as such, and he even split them between two emails because he knew that the two emails together contained classified information, but separately they were unclassified. Fun fact: splitting a classified item between two emails specifically to avoid classification procedures is a no-no. I reported the incident. He was fired. My computer was seized off my desk for sanitation which took three days. The email server was scrubbed, but I reported it so quickly no backups were impacted, so that made scrubbing significantly easier.

Your next question would likely be: how do you know it's classified if it isn't marked? Answer: you make it your job to know. You work in the field, and you come to know what smells like a classified fact or figure. There are also security classified guides to help if you're not sure. And I admit, sure, one email, a hazy classified thing that you read quickly and slips by absolutely possible. But 100 emails (your number, I thought it was a little larger), that's willful disregard and negligence. If I had done it, probably not jail, but certainly no more clearances in my future.

I also seem to recall (too disinterested to look it up because this is all in the distant past), I believe what Comey said was not that what she did was not illegal, but that no one would prosecute her for it. Of course, not - she was Hillary Freaking Clinton, the likely next President of the US. That's like saying, hey, I'm pretty sure this is a loaded handgun I have here, but I can't seem to find anyone willing to put it against their temple and pull the trigger to test that theory.

Re:Idiot Contractor

[bobbied]

Because of Hillary Clinton.... She E-mailed classified stuff around the planet on her personal E-mail server without so much as ROT 13 encryption... BUT.... James Comey decided that it wasn't a crime and announced to the world that he didn't think she could be charged because she had no intent to be careless.

If Hills can, why not this contractor? After all, it wasn't their INTENT to share it with the Russians and they presumably didn't E-mail it to anybody.

(Sarc off)

Show me where Hillary actually mailed known classified material using her server. Oh right, you can't. (snip)

I understand you hate Hillary, I don't like her either, but at least stick to facts.

I believe your facts are a bit behind the truth. Comey's guys found E-mail MARKED classified which Hills sent/received. You need to read that again... The content carried portion marks that indicated it was classified. What's worse, it was literally cut and pasted from a classified document into an unclassified E-mail.... (Perhaps not by Hillary, but by SOMEBODY, and that means classified was improperly put on an unclassified system..)

Hillary claims that she didn't see and understand what these marks where, but the FACT here is that she DID send classified information which she SHOULD have recognized as such because it was portion marked. She was trained on this stuff as a pre-condition of receiving her clearance, if she was paying attention, she would have known. I don't believe she's that stupid, she knew what it was, I believe she just didn't care.

Re:Idiot Contractor

[fafalone]

http://www.politifact.com/trut...

Politifact isn't exactly a right-wing source either. Both sides like to ignore or forget facts that don't fit the agenda.

And perhaps there would have been more, had she not instructed people to *remove* those markings:

https://www.cbsnews.com/news/state-department-releases-more-clinton-emails-several-marked-classified/
CBS isn't a right-wing source either.

Look, she was still a better choice than Trump by lightyears, but it does no one any good to continually pretend the e-mail issue wasn't illegal conduct she got a pass for. Comey's conclusion was that it was ok because she "lacked intent", but the law had no intent requirement, and other people have been prosecuted despite similarly lacking intent (the submarine selfie guy comes to mind). Come on.

Re:Idiot Contractor

[bobbied]

Ah, but you forget that she sent/received content with portion marks. Public Sources do not generally portion mark their material. That stuff came from classified documents, was marked as classified, and should have been recognized by Hillary (and the rest of those reading the E-mails) as classified.

You are stopping at story #3 out of #4...

Story 1: I didn't use my private E-mail server for work E-mails, it was just wedding planning and Yoga schedules.

Story 2: I used it for work, but only for non classified stuff and only because I didn't want to have multiple devices just to receive E-mail.

Story 3: I used it for work, but didn't send anything that was marked as classified. It was all public information that was retroactively declared classified.

Story 4: I did send and receive Classified, some of it was obviously portion marked, but I didn't see that at the time....

Hillary has misstated the truth multiple times here and had to revise her story as more facts came to light.... Comey clearly said as much.

Re:Idiot Contractor

[barbariccow]

That said, unless you can prove she KNEW it was classified material, from the PUBLIC SOURCES, no case, no crime

That's not true at all. In fact, some ideas are even born classified. ( https://en.wikipedia.org/wiki/... ).

Also, if a newspaper reporter gets classified documents and writes a story about it, FOR MOST CASES, no crime on their part, and they knew it was classified. The person handing it over, whether they "knew it was classified" or not is the liable party. Otherwise the law would be completely unenforceable. Imagine if you could get out of murder by saying "I didn't know murder was illegal."

Re:Idiot Contractor

[Gr8Apes]

You can read the entire thing here That's as official as it gets. Now, you made the claim that she knowingly sent at the time classified email. We'll await your response....

And those markings mean nothing (much like the ones in the FBI link above) once they are from a supposedly insecure source (e.g., the unclassified State Dept email server)

Re:Idiot Contractor

[Gr8Apes]

I clearly read the FBI report It's clear that you did not.

Re:Idiot Contractor

[Gr8Apes]

The summary is this:

In total, the investigation found 110 emails in 52 email chains containing information that was classified at the time it was sent or received. Eight chains contained top secret information, the highest level of classification, 36 chains contained secret information, and the remaining eight contained confidential information. Most of these emails, however, did not contain markings clearly delineating their status. ... About 2,000 additional emails have been retroactively classified, or up-classified, meaning the information was not classified when it was first emailed.

So, classified information is funny stuff. A "fact" can be classified, but only if it's stated in relation to another fact. Guidance states that if something is classified, it is better to never mention it unless its absence makes it notable. (e.g., for instance, a series of numbers, 1, 2, 3, 4, 6, 7, 8 where 5 might be classified in some relation to, say, number of x's) And yes, writing publicly releasable documents when you hold a clearance can be a real challenge.

But, back to your CBS reference and so forth - 2 document had markings, but didn't actually contain classified material, this again just proves that just because it's stamped with a classification doesn't make it so. And finally, her telling her subordinate to send the talking points insecure doesn't mean they sent classified info that way, and it even states that in your link. Take the above example about 5.... If I send that same "classified" information paragraph, removing the number and relation from the text, it's no longer classified, much like those redacted FBI documents

I still hold that her having a private email server was stupid and against general common sense security policy as practiced within at least large portions of the government. She should have known better, as should have Rice and Powell before her, but especially Powell, who has 0 excuses.

And don't get me wrong, she was still a terrible choice, just less terrible than the one we got through a fluke of an ancient system designed to overcome the limitations of technology at that time. In fact, only her, out of all the possible other dem candidates and quite a few republicans could have lost. That's how terrible she was as a candidate. Don't sugar coat that one.

Re:Idiot Contractor

[bobbied]

Seriously? The markings mean nothing?

You are either daft or just flat don't know what you are talking about. What do you suppose those things in () in front of each paragraph actually are and what do they mean? Those are portion marked. Here is some material you need to read: https://www.archives.gov/files...

FIRST: The FBI isn't going to just post the E-mail's in question unless they got them declassified. That would be mishandling classified and SOME folks in the government actually try to follow the rules.

SECOND: The portion marking on the paragraphs DOES means something to those trained in what they mean and Hillary was trained as a condition of getting her clearance.

Finally... Did you actually READ page 2 of the report you provided the link to? The first paragraph makes it pretty clear that Hillary had some pretty sensitive stuff on her various E-mail servers and devices... Stuff your average person would have been strung up for mishandling..

Re:Idiot Contractor

[Gr8Apes]

Bunch of emotional hysterical blah blah deleted.

Finally... Did you actually READ page 2 of the report you provided the link to? The first paragraph makes it pretty clear that Hillary had some pretty sensitive stuff on her various E-mail servers and devices... Stuff your average person would have been strung up for mishandling..

I actually did read it. I even summarized it (You may want to read that link). We have no idea what the info was, as it's redacted. We know there were email chains between unclassified systems, which means there should be no classified info on them. We also know that only a handful of emails with classified info originated from Clinton, and that none with markings did so. BTW, you know those pages come with markings, right? And if there is no classified info on it, it's not classified? It's actually misclassified or over classified.

As for your comment about average people, note that Powell was the first to use private email services, and he should have definitely known better considering his positions through the 90s. And where's your pitchfork for him, or Rice, for that matter. They're either all guilty, or none.

Re:Idiot Contractor

[bobbied]

I believe you looked at DOCUMENT 2 page 1.. Look at document 1 page 2 where it discusses the 2,000+ classified E-mail they found. This stuff was highly classified, compartmented stuff. Stuff you don't find in the public domain, ever....

Re:Idiot Contractor

[bobbied]

She just didn't care. It's not that hard to keep things separated, it's a pain in the butt, but doable if you have half a care about what you are doing.

Hillary didn't care. She either didn't care enough to educate herself in the proper protection of our nation's most sensitive information, or she didn't care enough to protect it. Take your pick... Either way, it reflects badly on her.

My guess is she knew what this stuff was. It's not like she's a novice with this stuff. She's held clearances off and on for years. She simply didn't care... And let's not forget the *real* issue here.... Using a personal E-mail server for official government business? Really? That's illegal and she KNEW that too. After all, she sent a memo reprimanding one of her ambassadors on this very subject. It was the FOIA request from some right wing group that caught this and sued her to find these E-mail's...

Re:Idiot Contractor

[Gr8Apes]

You might want to reread that yourself. That was 2000+ emails that contained information that was classified after the fact. Also, BTW, out of those 2000+, only 1 was later classified secret. The rest all had the lowest possible classification, confidential. This is stuff you find every day, that thousands of gov workers and contractors know and have, many even without security clearances. Because the information is not magically classified by fact. It is classified by context and relationships. Which is why classified material is such a pain to work with and once you have clearance it's better to just talk about sports or your neighbors kids or something else completely unrelated to work, because even who you saw or met today could be classified, whether you know it or not.

Re:Idiot Contractor

[Xenographic]

> Nobody can take classified material home, ever. Nobody can put classified material onto an unapproved computer, ever. These are not things that change from contract to contract.

Well, unless your name ends with Clinton and it's only classified pictures of North Korea... which we know because we have the emails where they were trying to spin that with their political hacks and they were worried that part would bite them :)

Re:Idiot Contractor

[Gr8Apes]

She just didn't care.

I see you've taken up mind-reading as a vocation also.

It's not that hard to keep things separated, it's a pain in the butt, but doable if you have half a care about what you are doing.

You would know this how? It's apparent from your postings the closest you've ever gotten to classified data is Hillary's emails.

Hillary didn't care.

Repeating an assertion doesn't make you clairvoyant nor correct.

She either didn't care enough to educate herself in the proper protection of our nation's most sensitive information, or she didn't care enough to protect it.

Oh my, I tell you three times... sort of?

Take your pick... Either way, it reflects badly on her.

My guess is she knew what this stuff was. It's not like she's a novice with this stuff. She's held clearances off and on for years. She simply didn't care...

There it is - three times true.

And let's not forget the *real* issue here.... Using a personal E-mail server for official government business? Really? That's illegal and she KNEW that too. After all, she sent a memo reprimanding one of her ambassadors on this very subject. It was the FOIA request from some right wing group that caught this and sued her to find these E-mail's...

So, you're going to go after Powell, Rice, Jared and whomever else was using personal or trump org emails for government business? You're going to be one busy fellow. I look forward to your outrage being posted. After all that, provided you have any energy left, you can hype yourself up on all the personal (non-gov) Russian contacts in the Trump administration, just in the past 3 years. Enjoy.

Re:Idiot Contractor

[bobbied]

Oh yea.. Here comes the Powel did it and Clinton just forwarded stuff dodges... I can tell, there is no point in trying to move you forward here or correct your facts... She made deplorable mistakes though lack of caring and acted like the rules didn't apply to her, what other folks did is immaterial to her problem.

Give it up, she lost the election likely because of all this hoopla if truth be told. Hoopla she brought on herself, but still won't admit... But that's a whole other debate...

Re:Idiot Contractor

[bobbied]

Yea, I don't know anything at all about handling classified information... Of course I could claim to have various clearances for 50 years but this is the internet, I could claim anything about myself and you'd not know the differance.

This "other folks did it" is a dodge. No they didn't, not with classified information, not to this extent and certainly they didn't lie about having done it. In both cases they provided access so the archives could be made in accordance with the law. Clinton? Not so much...

Re:Idiot Contractor

[bobbied]

Read all you want, but the fact remains that this issue with Clinton cost her the presidency... Maybe she made a mistake or was actually criminally negligent, but the facts are that she tried to deflect this issue by down playing it and was forced to admit to more and more serious infractions as the facts came to light. Had she come clean when this story first came to light, she'd likely be president right now.

And I don't agree with your characterization of her e-mails and their contents as not being serious. It was deadly serious in that it likely resulted in the exposure of highly classified information to the world and the FBI report indicates as much. There may not have been a lot of highly sensitive stuff there, but there was SOME, enough to do grave damage to the USA's interests. She tried to minimize it, down play it, and claim that it wasn't a big deal. This opened her up to Trump's "Can you Trust her?" line of attack, which ultimately was very likely to have swayed enough voters to make him president.

If I was you, I'd cut her loose and stop defending her. She's not a viable candidate for dog catcher anymore and will spend the rest of her days writing and selling books or making speeches like her husband. She's almost literally a dead horse...

Re:Idiot Contractor

[Gr8Apes]

Facts aren't dodges. Your biases are showing. It's fine if "my guys" do it, but you'll take the other side to task. Where's your outrage for Trump disclosing classified info to the Russians? You're like a bulldog on a bone, ignoring the steak right next to you.

Re:Idiot Contractor

[Gr8Apes]

There is NO SUCH THING as "Classified after the fact".

You're clueless.

Re:Idiot Contractor

[Gr8Apes]

Yea, I don't know anything at all about handling classified information... Of course I could claim to have various clearances for 50 years but this is the internet, I could claim anything about myself and you'd not know the differance.

I think that's about the truest thing you've posted.

This "other folks did it" is a dodge. No they didn't, not with classified information, not to this extent and certainly they didn't lie about having done it. In both cases they provided access so the archives could be made in accordance with the law. Clinton? Not so much...

You're making baseless assumptions. It's not a dodge. It's a fact - they used private email accounts for government business. 2 were predecessors for Hillary, and bunch are in the current administration that yelled "email email email". "Hypocritical" is the kindest thing that can be said for any position that doesn't take the current group to task.

Clinton didn't lie about using a personal server, at least not to my recollection. However, that aside, how do you know what Powell, for example, did or did not send? By his own admission, all 100K+ emails are "gone". We only have his word. AFAIK, Rice's emails are similarly gone. Without a dump and investigation by an appropriate authority who can determine the classifications both at time sent and post sending, similar to what happened with Clinton's emails, would you be able to make any assertion at all about how badly those predecessors screwed up. Considering their positions, it will be almost impossible for them not to have done something inadvertently.

In case you haven't figured it out - I think they all stink. I just find your particular brand of smearing an individual you bear obvious ill will for pretty disingenuous. I picture you being #3 in the lynch mob, cheering on the slaughter, not having the balls to be the leader.

Re:Idiot Contractor

[bobbied]

She lied.... Well, perhaps she didn't care enough to find out the actual truth and didn't remember so she invented a story to spin out of the problem.... But her story changed over the 18 months it was an active news story and she had to modify her story on multiple occasions as new facts came to light. I've outlined this before.. She went from "It wasn't used for work.." To "It was only for convince and didn't have classified information on it." to "It didn't have anything MARKED classified on it" to where we are today.

Her story had to change as the available facts changed. Instead of coming out and finding out what the truth was and admitting to it, she spun and sputtered, changing her story with every new wave of facts came to light. That's all on Hillary. She obviously either didn't care, at all, about this, or had something to hide. Either way it looked bad for her..

Re:Idiot Contractor

[bobbied]

LOL, and you are defending the gal who's getting written a speeding ticket for doing 20 over by saying "Look at all those other folks doing 5 over! What about them?" I'm not dismissing them, I'm just pointing out that it's not a defense of what Clinton did.

Clinton either lied or simply didn't care enough to know the truth before she made specific public assertions of her innocence to the press. She then had to change her story, not once, not twice, but four times.... It cost her the Whitehouse and almost got her charged with multiple felonies... Face it, She acted stupidly.

Re:Idiot Contractor

[Ol+Olsoc]

The problem here isn't Kaspersky and Russian hackers, they're just being opportunistic.

The REAL problem here is a dumb @$$ contractor who stole classified information and brought it home.

Why isn't the contractor, both company and employee, being punished for breach of secure information? Any other countries' spooks would want this info, including our allies.

Ahh that's right, let's just take this as an opportunity to bash Russia some more while our real enemy China is cleaning out both our industrial trade and military secrets! /sarcasm

It is possible to have two problems at the same time. In fact, that usually how disasters happen. The contractor needs denutted for what he did. But that doesn't mean that software designd to compromise a person's computer is supposed to be applauded as Hey, Everone's doing it, so it's all good.

That isn't how the game works regardless of what you think. Contractor? At best a dumbass, at worst a leaker or actual spy. Kaspersky? Well everyone doing it or not, they were caught. And "Everyone does it" isn't a very good defense.

Re:Idiot Contractor

[david_thornley]

The legal treatment is different based on whether you mishandled classified information as a conscious act or not. (The law may not distinguish, but people who don't intentionally mishandle it are not prosecuted.) This guy almost certainly had to go through some procedures to get classified material to his home computer, and that suggests intention.

It's possible that the guy was not cleared to handle classified information, and therefore did not break the law, but in that case he should have had no access, and whoever gave him access almost certainly committed a felony.

Re:Idiot Contractor

[david_thornley]

Actually, what Comey said is that people who did what she did weren't prosecuted. In my research, that seems to be correct. What Clinton did is normally handled administratively. It may result in temporary or indefinite loss of clearance, or being fired, and is probably a career-limiting move.

Re:Idiot Contractor

[david_thornley]

Clinton screwed up. She did nothing that warrants prosecution, or would have gotten anyone else prosecuted.

Re:Idiot Contractor

[Xenographic]

I discussed all the evidence of intent back here with full citations, including the entire Congressional hearing on the subject.

In Clinton's case, we have an email between her & Colin Powell discussing how to cheat the system. It's hard for me to read this and not think that either person knew exactly what they were doing.

C06125520 UNCLASSIFIED U.S. Department of State Case No. F-2016-11013 Doc No. C06125520 Date: 09/08/2016

Re: Question
From: Colin Powell [redacted] [RELEASE IN PART B6]
To: Hillary Clinton hr15@att.blackberry.net B6
Subject: Re: Question

I didn't have a BlackBerry. What I did do was have a personal computer that was hooked up to a private phone line (sounds ancient.) So I could communicate with a wide range of friends directly without it going through the State Department servers. I even used it to do business with some foreign leaders and some of the senior folks in the Department on their personal email accounts. I did the same thing on the road in hotels.

Now, the real issue had to do with PDAs, as we called them a few years ago before BlackBerry became a noun. And the issue was DS would not allow them into the secure spaces, especially up your way. When I asked why not they gave me all kinds of nonsense about how they gave out signals that could be read by spies, etc. Same reason they tried to keep mobile phones out of the suite. I had numerous meetings with them. We even opened one up for them to try to explain to me why it was more dangerous than say, a remote control for one of the many tvs in the suite. Or something embedded in my shoe heel. They never satisfied me and NSA/CIA wouldn't back off. So, we just went about our business and stopped asking. I had an ancient version of a PDA and used it. In general, the suite was so sealed that it is hard to get signals in or out wirelessly.

However, there is a real danger. If it is public that you have a BlackBerry and it is governmend and your are using it, government or not, to do business, it may become an official record and subject to the law. Readingi about the President's BB rules this morning, it sounds like it won't be as useful as it used to be. Be very careful. I got around it all by not saaying much and not using systems that captured the data.

You will find DS driving you crazy if you let them. They had Maddy tied up in knots. I refused to let them live in my house or build a place on my property. They found an empty garage half a block away. On weekends, I drove my beloved cars around town without them following me. I promised I would have a phone and not be gone more than an hour or two at Tysons or the hardware store. They hated it and asked me to sign a letter relieving them of responsibility if I got whacked while doing that. I gladly did. Spontaneity was my security. They wanted to have two to three guys follow me around the building all the time. I said if they were doing their job guarding the place, they didn't need to follow me. I relented and let one guy follow me one

[REVIEW AUTHORITY: Geoffrey Chapman, Senior Reviewer]

UNCLA

Re:Idiot Contractor

[david_thornley]

Exactly what's wrong about this email? Powell and Clinton are discussing how to use their personal devices, which appear to be against security protocol, not the law. Powell warns Clinton that a device that has official government business on it could be classified as something having official documents, and subject to that law. Powell describes how he fought with security restrictions. I see no mention of classified documents or classifications. I see no mention of violating the law. (During both Powell's and Clinton's tenure, it was legal for the Secretary of State to use a private email server for official business. That law was changed about a year after Clinton left the State Department.)

Did you mean to post something else, or were you hoping I wouldn't read it thoroughly?

Re:Idiot Contractor

[AutodidactLabrat]

Did you read? Hmm? THE MATERIAL CAME FROM PUBLIC SOURCES
Therefore, unless she KNEW it was classified...get it Trumpian?

Re:Idiot Contractor

[AutodidactLabrat]

Yes, she did
And they were all stamped CONFIDENTIAL (c)
So like I said, all the TOP SECRET was from public sources, said the FBI confirmed by Comey

Re:Idiot Contractor

[Gr8Apes]

If I was you, I'd cut her loose and stop defending her.

Thank goodness you're not. I'm not sure I'd like the smell where your head's at. And I'm not defending her, you think I am, which only shows everyone else how clueless you are. All I'm saying is stick with the facts. You seem unable to do that. I'll leave you to rut in your sty now.

Re:Idiot Contractor

[bobbied]

Yes, she did And they were all stamped CONFIDENTIAL (c)

Which is enough to validate my claim that she sent and received classified information on her private unclassified E-mail server which was MARKED as classified.

Clinton denied (at various points) all of the following:

1. She used her private server for work (She did, in violation of State Department policy and federal record keeping laws).

2. She send and received classified information on her private unclassified E-mail system. (She did this too).

3. She sent and received material that was MARKED classified on this private unclassified system. (When she provably did)

4. The information on this system was exposed to our enemies. (Which seems likely to be true by the FBI, but not provable with the information we have been able to recover.)

So she broke the spirit and letter of two major statutes and has likely exposed information that was classified. Further, she lied about all of this and was forced to progressively change her public statements on this activity, which isn't a crime per se, but does speak to her willingness to stretch the truth to stay in power, and the public outcry over it was likely responsible for turning enough voters away to cost her the election.

Re:Idiot Contractor

[AutodidactLabrat]

And, as is well established by the FBI, the (c) mark was confused with the COPYWRITE mark just as I said, thus, to the best of HER KNOWLEDGE, she spoke the truth and committed no crime.
Just like I said
Looking for an excuse to hate Hillary?
Try again! DUH!

Re:Idiot Contractor

[bobbied]

Perhaps I am just looking for a reason to not like Hills... Actually, I didn't like her policies or her continual lying about this and other things.

But you have to admit, I'm not alone. There are a LOT of folks who dislike the Clinton's political views and propensity to be stretchers of the truth to paraphrase Mark Twain. Bill got sanctioned and lost his law license for lying under oath while in office. He got himself impeached too. Hillary participated in the covering up of Bill's indiscretions and didn't bat an eye about having to launch personal attacks on her husband's accusers, not because they were lying, but because it hurt Bill's and her's political futures. You see it's all about power with her and the money that comes with that power.

However, I never would make the mistake to believe that Hillary or Bill are stupid people, backwood hicks from Arkansas or any other such nonsense. They are both quite bright and very astute political players, Hillary more so than Bill even. As much as I don't like her policy or politics, I have never believed Hillary didn't have the ability or intellect necessary to do her various jobs, I just don't like her politics and I don't trust what she says because she has a history of lying.

So now, we come to this E-mail thing that Hillary really messed up on. You want to excuse Hillary by using a "she didn't know better" or worse "She wasn't paying close enough attention" to what was going on. She's not that stupid. She got the training, she knew what the marks where and what they mean, so I don't believe for a second she was just unaware of the nature of the information she was sending on unclassified systems. I DO however, believe that she simply didn't care, that she was smart enough and aware enough to know, but didn't think it mattered.

It actually explains a LOT of what she did and said if you look at it this way. She didn't care because she never thought she'd be investigated on this subject. That personal E-mail server, illegal to use for unclassified work purposes to start was just hers to do with as she pleased so she did. The record retention rules didn't apply, nor did the rules for handling classified information, she was in charge! This is where Hillary failed, she didn't care, and didn't follow the laws that governed her activities. She's Hillary Clinton after all,Secretary of State, heir apparent to the presidency.

It was her attitude that did her in, not her inability to know what a portion mark ment, or that the content being discussed was classified. This makes her categorical denial that this private E-mail server was ever used for work possible. She knew it was, but she thought nobody would look into it, that nobody cared because she didn't care. She was wrong. At that point, the PR game was on for her. She got caught in a bald faced lie, one she should have known better than to say and the rest was about damage control and PR spin. In pure Clinton style, she kept admitting to as little as she could and categorically denying all else waiting for the revelations to stop. It's how Bill handled the Monica Lewinsky thing, the Jennifer Flowers case and how they handled Whitewater together. And actually it's a great method, assuming you can get interest in the story to waine soon enough. Public attention is short, the new cycle is fast, so if you can get enough distance between you and the story and make your categorical denials the thing that gets reported, the public will forget. The trick is to make it a non-story as fast as you can and get your denial on the record as soon and as often as you can, then wait for it to pass. It's the Clinton way, and it usually works.

Hills problem was it kept coming back up, new facts kept making her into a liar and making her change her story. So, in this case, the Clinton spin cycle didn't actually work for her as well as it had in the past. Trump didn't mind bringing up the E-mail thing over and over, forcing all the FBI investigation stuff and Clinton's ev

Re:Idiot Contractor

[AutodidactLabrat]

ARgumentum ad populum.
That and argumentum ad ignoratum explains your antipathy to Hillary, or indeed any rational politician

Re:Idiot Contractor

[bobbied]

Riiiight... LOL..

So, your position, that Hillary was confused and thus didn't lie and didn't commit a crime, doesn't have the same issue...

The fact remains that she *should* have known what that mark means and was legally responsible to properly handle classified information which includes not placing it on unauthorized computer systems. She also *should* have known that using a private e-mail server violated State Department policy and federal law. She failed on both accounts in situations where she should have known better.

You want to excuse her for these failures because she didn't know, but you don't get excused for breaking many laws by claiming you didn't intend to. Involuntary manslaughter doesn't require intent, just reckless behavior. The statute that makes it a crime to mishandle classified material doesn't require intent either, just being negligent is enough.

That's Hillary's problem here.. And yours if you wish to defend her and her public statements.

Re:Idiot Contractor

[barbariccow]

Since somehow my example of "Born Secret" (which includes public sources) wasn't enough, maybe I can offer another example more along your line. Consider the FBI files on Tupac and Biggy. These were classified for years, yet if you look through them, 99% of the information contained within is just newspaper articles / pictures etc from public sources. If you had released a partially-redacted (redacting the 1% of non-public sourced) information from those reports, such that you were only releasing the information which amounted to copies of public data, you would still be transmitting classified information.

I know it can get a little tricky, and that's why there's training for handling classified / titled data for those of us who do so.

Re:Idiot Contractor

[AutodidactLabrat]

Never enough IF YOU DON'T PROVE HILLARY KNEW THE STATUS OF THE DATA!
as Comey pointed out, it wasn't her task to know the PUBLIC material was classified.

Why was he allowed to take the docs home?!

[the_skywise]

It didn't even have to be Kapersky - it could've been any malware on his PC that would've leaked the documents!

Although doesn't this:

Note we make no apologies for being aggressive in the battle against cyberthreats.

Sound like a tacit admission?

Re:Why was he allowed to take the docs home?!

[gweihir]

Although doesn't this:

Note we make no apologies for being aggressive in the battle against cyberthreats.

Sound like a tacit admission?

No, it does not. It merely says that if the Kaspersky scanner detected files it suspected of being malware but did not know yet (e.g. because the identification was via suspicious behavior pattern, not code signature), it phones home. That is standard behavior and no secret. In fact, you agree to that in the license and it can, I believe, be switched off.

So what likely happened here is that the Kaspersky product was configured to send suspected, but yet unknown, malware files to Kaspersky and it did correctly identify some NSA malware as such and sent them to Kaspersky. I men, seriously, this is what correctly working AV is supposed to do. This whole thing is much more likely about the NSA being butthurt that their criminal activity (criminal everywhere outside the US that is) was discovered and that their respective malware is now detected by Kaspersky. Add to that a few creatively misleading statements to the WSJ reporters (who have zero understanding of what is going on and how the respective technology works) and you have what the WSJ is reporting now.

Re:Why was he allowed to take the docs home?!

[the_skywise]

That explains how the docs got to Kapersky's labs and Russia.

It does not explain how it got OUT of Kapersky's labs and into the hands of Russian hackers.

So essentially - any antivirus program will essentially spy on you and upload any personal documents it claims looks "suspicious".
It's like having the TSA installed on your computer.

Re:Why was he allowed to take the docs home?!

[gweihir]

In does not even explain that it got from Kaspersky to the Russian hackers. It may have taken another path. Or it may have been given to other parties (including other AV vendors and to government agencies) after analysis showed it was malware and not personal files. AV vendors do that all the time, and some organizations can pay for that data-stream as well.

Yes, every AV spies on you if you allow it to. Configuring AV is one place where you should pay attention.

And no, I am not particularly fond of Kaspersky. I just do not think they are really different in this regard to other AV vendors.

Paranoids burying the lede

[HBI]

The idiot Hal Smith, former NSA employee, apparently put stuff that shouldn't have been seen outside a SCIF on his home system. His content was exfiltrated, presumably by Russians. But now it's the vector of the exfiltration's fault that classified material was stolen.

News flash: the system was broken the moment the stuff saw a computer outside of an airgapped network. For that matter, Mr. Smith put himself in criminal jeopardy at that moment.

If the guy had been using Avast or Bitdefender, would that have made you feel better? Do you really think the Russians couldn't penetrate the firms providing those products? Think again.

While we're at it, do you really think that the Russians are the only people soaking up data from the US like a sponge? Why so much focus on their activities? You'd think people had a political axe to grind, almost...

Re:Paranoids burying the lede

[LordWabbit2]

No, they're just wise enough to see through the media hype and the crap. Something has to fuel the war machine my friend, and if it's not a war, then the fear of a war will do. I am particularly concerned about North Korea at this time, Syria is winding down thanks to Russia's help (who were invited), Afghanistan is a lost cause and America needs to start another war. Gere is an interesting stat, America has been at peace (not fighting a war) for 20 years since it was formed. 93%. You want to know who really runs America? Those people who profit from the wars.

Re:Paranoids burying the lede

[houghi]

The thing is that now the NSA can say that you not should Kapersky, but rather use one that THEY can use to access your information.

Sounds so dumb

[McCaskill]

"targeted the contractor after identifying the files through the contractor's"... duh ? Wait! What the hell is a contractor doing with classified files on his home computer. Sounds so dumb, it looks like someone Wants to have Kaspersky AV software blamed.

Well, given that the NSA spies worldwide

[gweihir]

And very likely with pretty much the methods described, I think this cannot get much more hypocritical. And while we _know_ the NSA does this, we only have a scare-story that may turn out to be a complete fantasy on the Russians and Kaspersky.

Is it so easy to bring home classified stuff?

[Picodon]

I’m a bit puzzled: aren’t highly confidential documents stored, viewed and edited only on secured computers? Is it really that easy for a contractor (or even an employee) to grab a copy and leave with it, entirely unnoticed?

Re:Is it so easy to bring home classified stuff?

[will_die]

Reality Winner did it by printing out a copy and securing it to her body via her pantyhose.

Re: Is it so easy to bring home classified stuff?

[nehumanuscrede]

Sadly, yes it is.

Many years ago when I was doing the Navy thing, I would find classified stuff just laying about, unsecured in staterooms.

( Security patrols in case you're wondering why I was even in Officer's Country )

The vast majority of it was documentation of various things found on a ship that was tossed onto a table or rack ( bed ) in a stateroom. Easy to spot due to the color of the cover sheets. ( blue, red, orange, etc )

Apparently the junior officers thought closing the door to their stateroom was enough to protect it. :|

I thought about hiding it from them just to watch the panic set in when they realized a Secret book was now missing, but it would have ended their careers, so I usually just educated them on it.

Stuff up to Secret levels only. Most TS+ and Crypto related stuff required 2-person control and they were much more protective of it.

Re: Is it so easy to bring home classified stuff?

Back when I was doing TS SCI work (ten years ago admittedly), we were paperless. Every note, every scrap shredded and burned every night. Computers were sealed using a variety of serialized seal types (foil stickers, zip ties, frangible wires), with external ports physically disabled by severing/desoldering wires. Those serial numbers were recorded. If you opened a computer to copy or steal a HD and tried to close it again with new seals, someone should have caught that inside of 24 hours during a secure check in which the serial numbers were checked against a log book. Stealing an electronic document without getting caught within 24 hours should have been impossible, and paper copies should not have existed.

It drives me crazy the number of processes and procedures that Clinton violated for the convenience of an email server in her closet.

Re: Is it so easy to bring home classified stuff?

[Darinbob]

I never did classified work, but when I worked at a defense contractor that did this in the 80s, they were highly paranoid. Even for non-classified work they did not let me take storage devices into or out of the company without authorization. Secure documents were only allowed in secure buildings, and I was not allowed into those buildings until they turned on the flashing lights to tell everyone to hide their papers and turn off their monitors. We had a tunnel to move documents between buildings so that they never touched fresh air. And this was for relatively lower security classifications, far below the level that the NSA would have.

The issue here is that it's difficult to search every employee every day when they go home to be sure they don't have any storage devices. At some point you rely on employees with security clearances to follow procedures rigorously. The fact that we're seeing more of these breaches probably points towards failures in the processes. The fact that these people often are contractors instead of employees may be telling also. Lack of training, cost cutting, reduced oversight, reliance on temps, probably is reducing security.

Quite possibly business as usual...

[kbonin]

1) Any intelligence agency that doesn't look for exploits in commonly used tools isn't doing their job.
2) Kaspersky is a great target for exploit research no matter who you are.
3) Its common practice to keep identified exploits secret for high value zero day attacks JUST like this.
4) Also standard practice to request (or steal) source from domestic (or vulnerable) corps to make exploit location easier.

Not to defend Kaspersky (cause who knows?) but this just sounds like a normal day at the office for this problem space...

The real problem here

[nehumanuscrede]

is the fact the employee brought home classified documents which somehow found their way onto their home ( read that: Unlikely certified to handle classified information ) computer.

Normally, I would consider this unlikely, but apparently keeping classified info on private systems / servers is all the rage these days :|

Re:The real problem here

[bobbied]

is the fact the employee brought home classified documents which somehow found their way onto their home ( read that: Unlikely certified to handle classified information ) computer.

Normally, I would consider this unlikely, but apparently keeping classified info on private systems / servers is all the rage these days :|

I understand the confusion.. Apparently if you don't "intend" to mishandle classified, you can do what you want, including sending it via E-mail to everybody and their brother in unencrypted form. Just be sure to "wipe" that server "with a cloth" should you get questioned on this...

James Comey said so!

Re:The real problem here

[david_thornley]

From a legal point of view, you're pretty much right. Unintentional mishandling is not prosecuted. I suspect it's a policy matter, so that people who have made a mistake won't be afraid of hard time should they report it or fail to cover it up.

Re:The real problem here

[bobbied]

Continued mishandling of classified, albeit unintentional or not, IS a disqualifier however. Seriously, if you make a mistake or two, I'm sure they will be reasonable, require some remedial training in the areas where you are making mistakes and keep an eye on you for awhile. If you keep messing up, they are going to eventually yank your access and kick you to the curb because you don't seem well suited for the work you are doing.

However, intent is not necessary to break the law here. If you are careless enough, they CAN skip all the remedial training and jump straight to criminal charges if they choose. I suppose that if the data you exposed was serious enough and you were careless enough they'd do this.

It's the same legal principle as "criminal negligence" in a wrongful death where someone was careless enough to allow a dangerous situation go unfixed. They were aware of it, had the power to do something about it that would have prevented the death but made the choice to ignore the problem and somebody died as a result. If you are so careless with classified that it rises to the level of gross negligence then it's criminal, intent is not a factor.

Re:The real problem here

[david_thornley]

Continued misbehavior is when a person is warned about his or her behavior and persists in it anyway. It doesn't have anything to do with the length of time the person has been misbehaving. Misbehavior that doesn't occur after a warning isn't continued. If someone has made a mistake, and no attention is called to it, that person is likely to continue making that mistake. Only if the misbehavior continues after a warning is it a matter of conscious choice.

The thing about criminal negligence is that it's only going to be prosecuted if there's actual harm. Nobody's shown any actual harm from the classified emails.

Re:The real problem here

[bobbied]

The thing about criminal negligence is that it's only going to be prosecuted if there's actual harm. Nobody's shown any actual harm from the classified emails.

LOL.. But the FBI does conclude that although they cannot prove Clinton's private server was compromised, it seems likely that it was.

Read the statute on this that Comey talked about when he let her off the hook. It doesn't require intent, only negligence, and it doesn't require proof that the information was compromised. All it really requires is gross negligence and careless behavior which Clinton clearly displayed.

Also, don't forget that Clinton has two legal issue here and the classified information showing up in her unclassified server is but one. The other is that this private E-mail system was illegal due to the required record keeping rules, where all Clinton's correspondence is required to be archived. On both she failed to exercise proper care and failed to live up to the letter and spirit of the law.

Re:The real problem here

[david_thornley]

I'm aware of the statute. I'm also aware of how it is used in practice. Criminal prosecution is done only in cases where there is intentional mishandling, which this wasn't.

What change in the law was there between Powell (who also used private email) and Clinton? It was legal for Clinton to use private email, if she provided for record-keeping, as far as I've been able to tell.

Re:The real problem here

[bobbied]

LOL.. 'Roud this bush again eh?

So.. You are defending Clinton for getting a ticket doing 20 MPH over by complaining that other folks broke the law by doing 5 MPH over only got warnings? When she got pulled over she told everyone who would listen that there was no way she broke the law and the officer was wrong. Upon further investigation, it was determined that Clinton WAS speeding and was ALSO transporting illegal materials in her vehicle at the time... She was lying and actually deserved the speeding citation and more besides.

Both of the people you mention immediately turned over all relevant E-mail's, no delay, no lying about it. Yes, it was wrong for them to do, they admitted to it and provided the necessary information for the archives. Clinton? Not so much, she lied about this, tried to claim it never happened then proceeded to have her E-mail archives destroyed so they can never be found. Why is that do you suppose? Might there be something other than just planning for her daughter's wedding and yoga schedules in those things? I think so, But I digress.

SMH

[PortHaven]

"An NSA contractor brought home highly classified documents"

^^^ THIS

The first sentence says it all

"An NSA contractor brought home highly classified documents" Anything after this point is just blah, blah, blah. It is illegal for this to happen, unless the contractor's home is designated at the correct classified level. Which is highly unlikely. Good cybersecurity is impossible if people don't follow policy and procedure upon which much cybersecurity depends.

ITT:

[ajegwu]

So many fucking Russians, holy shit.

Re:The Government Who Cried Russia.

[bobbied]

It's a great story. It never gets old.

True dat.. Been going on for almost 80 years now...

What contracting company.

[will_die]

So any idea of the company he worked for?
Booz Allen had been running up a nice streak but lost that with reality winner, so have that pushed forward and tried to start streak two?

and it wasn't even vodka

[Reverend+Green]

Russians drank all my beer! Just the other day I bought a six-pack, and now it's gone. Goddammit I blame the Russians!

Re:and it wasn't even vodka

[Mal-2]

Next time try putting a mouse in the container and blame it on the brewery.

Re: and it wasn't even vodka

[Reverend+Green]

Fool! I'm not a Putinbot - I'm a NORKBOT! Great Leader Kim Il-sung personally programmed me, shortly after he invented the Internet.

Nothing could be better for the glorious Democratic People's Republic than to set the Yankee imperialists and the Muscovite capitalist restorationists at each other's throats. That's why I always say, BLAME RUSSIA! Workers and peasants in America have been so brainwashed and driven mad by capitalism, they will believe anything.

Remember: THE RUSSIANS DID IT!

What am I missing?

[barbariccow]

Am I understanding correctly? Of course I didn't read TFA, but from the summary I'm guessing that dude had Kapersky antivirus, and when he loaded the files it sent them home for scanning, and since they're a Russian company the Russian government has access to the files. This doesn't really make sense to me. It would make sense that it could send the checksums back home to compare, except even that doesn't make a lot of sense, since the "virus database" (aka a list of checksums of flagged blocks) should be local. Maybe he was using some sort of browser plugin version?

The only other way this could make sense is if the Russian government forced K to insert a backdoor into its software, which they used to gain access. So far I've only heard of the USA doing this, so it would be a big deal if this were the case, but since the summary doesn't have some clickbait about massive hole in K products discovered, I also don't think this is the case.

Most likely this is just more stupid "Russia bad, because... Russia!" garbage being spewed by folks who really don't understand or want to understand how things work. Can someone clarify if this isn't the case and I missed something?

Re:What am I missing?

[AHuxley]

Its some US story about cyber.
Documents get taken home from work and existed on some home network computer.
Some outside network discovers the documents that have never been in the wild before. The bad people have all the "checksums" for random US gov documents and scan the world for them?
Data gets sent back up the network nobody has noticed on any other version of the product range...
Russia.
More cyber fiction.

Taking it home?

[John+Jorsett]

In my years working on "highly classified" things, we NEVER, EVER brought that stuff home, because we couldn't without breaking all kinds of rules and safeguards. It was a major operation just to get it transferred to another secure facility to work on it. But time after time now we get the story that this or that person had a laptop full of stuff in their car, their house, on the bus, etc. When did the rules change that you can just walk out with extremely sensitive data, or are these lunkheads simply violating all the rules?

Re:Taking it home?

[LordWabbit2]

viperidaenz - said it perfectly in the post below.

An NSA contractor stole highly classified documents, but before he could sell them, they got stolen. Because he had no other reason to take home classified documents.

I've worked in banks, you cannot remove data from a PC without the drive being encrypted first. That drive can only be read by the banks PC's, and there are layers of security etc around that as well. Who can actually take data, who can read that data, etc. etc.

Most of the banks data is personal, not fucking classified. I would expect a much higher level of security at a holding facility for classified data.
If this contractor got classified stuff out of there and onto his home PC he was...
a) An idot
b) Wanting to sell the documents.

Re:Taking it home?

[thejynxed]

There was an FBI agent that gave a presentation at Widener School of Law detailing the fact that banks have been far ahead of .gov in these matters. What you see in the average bank even way back around 2000 is still ahead. The NSA, DOD and CIA have the most secure .gov systems and they are still less secure than bank systems because banks aren't prone to letting contractors of any sort access to certain primary systems or data unlike .gov agencies.

Re:Taking it home?

[david_thornley]

I was a contractor for a financial firm around 2006, and I had a work-issued laptop. It had full-disk encryption, integrated with the Windows logon. While putting Visual Studio on it, IT managed to hose it somehow so it could not get into Windows.

This gave IT a real problem. The disk was encrypted, and the encryption could not be broken. IT was required to pull all information off disks before destroying or reformatting them, and the information was completely inaccessible. They kept that laptop for months, and finally returned it (I'd been using a less powerful one in the meantime). My guess is that they just pulled the drive and put it on a shelf somewhere to await proton decay.

Should have been expected

[thunderclees]

This is what happens when you outsource or hire visa workers to do your IT.
It would not surprise that the outsource/visa workers absconded with data themselves.

Here's what probably happened

[viperidaenz]

An NSA contractor stole highly classified documents, but before he could sell them, they got stolen.

Because he had no other reason to take home classified documents.

Re:Here's what probably happened

[dcw3]

Possibly, or he could have just been doing so out of laziness/convenience, a la Clinton.

Re:Sleep with the bear, get flees

[Darinbob]

The story isn't saying that the anti malware program is a front for cyber warfare. It is saying that the program was hacked. No evidence that they were willingly hacked or assisted in undermining their own product. And it was an older version of Kaspersky. Hacking an antivirus is a big target, it gets you past the front door and into the bedroom.

Re:Yeah.

[superwiz]

Was he in FSB? KGB collapsed with the collapse of the USSR. Modern Russian state was born out of a rebellion against the USSR. So you would not necessarily expect the modern Russian state's security apparatus to have priorities matching anything even close that of the USSR.

Ask reddit...

[101percent]

Honest question for someone who dropped Windows decades ago. How do admins even take their security seriously when their tools have these issues. Something similar happened with, I believe it was, ccleaner a couple months ago. I mean what is the rationale behind infosec in Windows shops?

Re: Ask reddit...

[david_thornley]

Personal computers come with lots of crapware nowadays, and a tool to remove it all is useful.

Trustworthy SW is judged by software freedom.

[jbn-o]

Kaspersky's proprietary anti-malware software was never trustworthy. Kaspersky's anti-malware didn't recently become untrustworthy, and the year-plus long Russophobia didn't change anything nor does that craze amongst the war profiteers inform the current situation.

We judge software's trustworthiness by software freedom—the freedom to run, inspect, share, and modify published computer software. If a program is non-free (proprietary, user-subjugating) that program is untrustworthy regardless of what it purports to do, who wrote it, or who distributes it. No review program can ever truly evaluate the trustworthiness of non-free software because either they don't review the program's source code (thus the reviewers don't really know what the program can or will do), or they are under some non-disclosure agreement (in which case the reviewers can't be trusted). You need software freedom even if you don't program (as most computer users don't) so you can give a copy of the free software to someone you trust and ask them for a proper review. This can also be a commercial opportunity (jobs!).

Re:Trustworthy SW is judged by software freedom.

[thejynxed]

Except in this vector the "free" software alternatives don't even come close to accomplishing what they should. All two of them.

Re:Trustworthy SW is judged by software freedom.

[jbn-o]

Then improve them until they do.

That's the great thing about software freedom: programmers can improve free software and make the technical limitations a thing of the past while retaining the software freedom. But non-free software's power and reliability doesn't become freedom-respecting as more features are added.

Yet another racist

I'm still amazed at how "Ivan" has turned into a racist epithet, especially insofar as liberals are now proud of modding up posts that contain nothing more substantial.

Then again, they pretty much invented the N-word, too, along with seceding from the Union over slavery and filibustering the Civil Rights Act, so maybe I shouldn't be too surprised.

Re:Why the rush to defend anitvirus that hacks YOU

[arth1]

So why are people rushing to defend this attack on our country?

I'm not sure people are, as much as they're not impressed with our country's attack on We The People, even by foreign nationals in CIAs hire.

Plus, is it proven beyond doubt and Hanlon's razor that there was an attack on the attackers?

Re:Yeah.

[dcw3]

You say that as if nothing replaced the KGB. Hell, Putin was KGB. Who do you think his cronies are?

Why discover it now?

[martinfb]

How is it this can suddenly be discovered 2 years after it allegedly occurred?

Is it not just a slikely that these wholly incompetent agencies need to point a finger elsewhere?
Show me the proof! And any excuse about revealing secrets if proof is revealed is, obviously, bullshit!

Dear fellow citizen of the USA: While it is expected of nation states to seek as much intelligence as possible, including the USA,
current finger-pointing, which is likely unfounded, has got to be nothing short of redirecting attention away from internal incompetence!

Our society is now fraught with BS - consider that NBC claims Tillerson called Trump a moron. Yet, I have yet to see that proof as well.

Re:He was a contractor!

[david_thornley]

This was almost certainly intentional mishandling of classified materials, and that is normally prosecuted as a felony.

The line between prosecution and no prosecution is normally if the violation was done deliberately or not. This looks awfully deliberate.

Re:Yeah.

[superwiz]

Putin was in politics long before he was President. He left KGB with the title of Lieutenant Colonel -- hardly a high profile operative. He became a mid-level politicl operative after the collapse of the USSR operative. As for whether anything replaced KGB, that's irrelevant. Wehrmacht was replaced by the East German and West German militaries after WWII. That doesn't mean that one would expect a mid-level officer of Wehrmacht to serve in either West German of East German army. I would not expect most of USSR operatives to retain any kind of power in the post-USSR Russia. Yeltsin went so far as to ban and defund the former Communist party institutions after the collapse. He also had to disband the parliament and force a new election after pro-Communist parties got the majority and tried to muscle him from power. If anything, being anti-communist was the only was to rise to any kind of political power in the post USSR Russia. Modern Russian state is not pro-Soviet. It's national socialist. But it's difficult to imagine how anyone who remained committed to pro-soviet agenda could have remained anywhere even close to power.