Slashdot Mirror

← Back to Stories (view on slashdot.org)

New NSA Leak Exposes Red Disk, the Army's Failed Intelligence System (zdnet.com)

Posted by msmash on from the so-nothing-new? dept.

Zack Whittaker, reporting for ZDNet: The contents of a highly sensitive hard drive belonging to a division of the National Security Agency have been left online. The virtual disk image contains over 100 gigabytes of data from an Army intelligence project, codenamed "Red Disk." The disk image belongs to the US Army's Intelligence and Security Command, known as INSCOM, a division of both the Army and the NSA. The disk image was left on an unlisted but public Amazon Web Services storage server, without a password, open for anyone to download. Unprotected storage buckets have become a recurring theme in recent data leaks and exposures. In the past year alone, Accenture, Verizon, and Viacom, and several government departments, were all dinged by unsecured data.

67 comments

  1. Mandatory Protection? by bunyip · · Score: 1

    Whatever happened to the DoD Orange Book levels? I would have thought that they'd have mandatory protection on all their data.

    A.

    1. Re:Mandatory Protection? by ShanghaiBill · · Score: 5, Interesting

      Nearly all classified information is mundane garbage that nobody cares about. This "red disk" is a good example. TFA says it contains "sensitive information" but fails to list a single item of any significance.

      I had a "secret" clearance for decades, and I would regularly see classified reports about stuff that had been in the newspaper months before. Even more ridiculous, some of these reports were reporting that a newspaper had reported on a report that was not supposed to be reported on.

      More than 5 million Americans have security clearances. There are huge warehouses and data centers filled with "secrets". Meanwhile, our national debt is $20.5 trillion dollars.

    2. Re: Mandatory Protection? by Anonymous Coward · · Score: 0

      Classified is far from secret. It includes things like the week's lunch menu. Classified documents also suck when doing international collaboration, because they get upgraded to "secret" when circulated by a nation that doesn't have a classified status (meaning the chef now can't read the menu, because he obviously doesn't have clearance to read secret documents).

    3. Re:Mandatory Protection? by gnick · · Score: 1

      I had a "secret" clearance for decades, and I would regularly see classified reports about stuff that had been in the newspaper months before. Even more ridiculous, some of these reports were reporting that a newspaper had reported on a report that was not supposed to be reported on.

      I had a DoE Q clearance for a little over a decade with SCI for part of that. I did see information that was classified published publicly. I also saw information published publicly that would have been classified if it was accurate. Confirmation of the information, true or false, was classified as it should be.

      Nearly all classified information is mundane garbage that nobody cares about.

      I'll agree with that, but there are very important exceptions.

      --
      He's getting rather old, but he's a good mouse.
    4. Re: Mandatory Protection? by Anonymous Coward · · Score: 0

      Any military operation that requires secrecy for success is already a failure.

    5. Re: Mandatory Protection? by gnick · · Score: 2

      Good idea. No secrets. We'll just publish our nuclear weapon designs online so that everyone's on a level playing field.

      --
      He's getting rather old, but he's a good mouse.
    6. Re: Mandatory Protection? by i286NiNJA · · Score: 1

      This is the exact opposite of what Sun Tsu said in The Art of War. It's hilariously wrong even if the US military is struggling to classify information in an effective manner. I've never heard this cute little quote but I suspect you lifted it from somewhere.

      Where in the world did you hear this?

    7. Re: Mandatory Protection? by Anonymous Coward · · Score: 0

      You can just say that all you want.
      You need to prove it, otherwise you're speaking out of your ass.

    8. Re: Mandatory Protection? by Megol · · Score: 1

      Now that's in top 10 of my "so stupid it can't be real" list this year. Hope you like sharing room with Trump, the North Korea news agency, "SJWs", anti-SJWs and misc. conspiracy theorists.

    9. Re: Mandatory Protection? by Anonymous Coward · · Score: 0

      Totally this.

      The way Ike withheld the date and location of the D-Day landing fouled up the entire operation. If he had only told the Germans where and when they were landing, it would have been a success.

    10. Re: Mandatory Protection? by sysrammer · · Score: 1

      Is effective troll! You should get promotion.

      --
      His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
    11. Re: Mandatory Protection? by rickb928 · · Score: 1

      Exactly. Sun Tsu understood warfare long ago, and his teachings are as relevant today as they were in his lifetime. Of course, to further ensure the success of your operation when secrecy is a necessary condition, it's best to mislead all other parties, the enemy, your and their media, your domestic opposition, even possibly some of your command structure* and other units of your forces, allies, and otherwise uninvolved parties. They will be desperate for information, you should control that information whenever possible. Even if secrecy isn't mission critical.

      The weapons may change, but the intentions are the same at some level. War is war.

      * If your command structure requires absolute knowledge of all facets and details, they are a risk. Competent commanders will give you an objective and avoid interfering, in a perfect situation. War is, however, rarely perfect. Manage them.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    12. Re:Mandatory Protection? by Frosty+Piss · · Score: 1

      Nearly all classified information is mundane garbage that nobody cares about.

      I'll agree with that, but there are very important exceptions.

      Indeed. But of course as a Q Clarence guy, you know that 1000 little pieces of "mundane" but related secrets equals one very interesting not so mundane secret...

      --
      If you want news from today, you have to come back tomorrow.
    13. Re: Mandatory Protection? by rtb61 · · Score: 1

      Now if that is what they were trying to secure things would not be so bad but we all know what they are really trying so hard to secure, all the corruption and graft going on at the highest level and all the purposefully generated bullshit to feed it. Nuclear weapon design, yeah because why, with out the industrial and technical capacity even with the design you can not make one and with the industrial and technical capacity you can make your own. When it comes to nuclear weapons, size counts for fuck all, once it is big enough, it is big enough and any bigger just makes the rubble 'er' smaller. Secrets today are all about hiding rampant corruption.

      --
      Chaos - everything, everywhere, everywhen
    14. Re: Mandatory Protection? by BoogieChile · · Score: 1

      Yeah, those Normandy landing were a complete washout, weren't they, Kamerad?

    15. Re: Mandatory Protection? by aybiss · · Score: 1

      It's so cute that you think that would actually make the world less safe than it is right now.

      --
      It's OK Bender, there's no such thing as 2.
    16. Re: Mandatory Protection? by mcswell · · Score: 1

      That has to be the dumbest statement I've heard in a long time. Try Pearl Harbor, the assassination of Admiral Yamamoto, the landings on Normandy, all of which were maintained as secrets until they happened (and the way the assassination of Yamamoto was carried out--by the US reading the Japanese code--remained a secret for long after). Certainly some military operations fail because someone broke the secrecy; the the Germans lost the Battle of the Atlantic in large part because of that. But it's not a foregone conclusion.

    17. Re: Mandatory Protection? by Anonymous Coward · · Score: 0

      It's even more entertaining to see that YOU believe it would make it more.

      Since little Kim launched an ICBM this week that accomplished his goals, that kind of puts paid your bullshit. If you're this fucking stupid all the time, shut the FUCK UP.

    18. Re:Mandatory Protection? by Anonymous Coward · · Score: 0

      The best way to thwart spies is by DOSing them. If 99% of 'classified', 'secret' and 'top secret' is mundane drivel, they get a lot to sift through. Getting their hands on something stamped 'secret' is rarely the treasure trove they hoped for.

      Which is why some people do all their stuff via VPN, not only what really needs protection. If some agency break an occational key through enormous effort - it is rarely useful.

    19. Re: Mandatory Protection? by Anonymous Coward · · Score: 0

      I see what the op is talking about. If you're 30 minutes from contact and committed to a single plan, all the intelligence in the world won't fix a bad plan. Once you're in battle, knowing the enemy is one thing but keeping track of the situation with enough rapidity for a top-level commander to micromanage units is far more difficult.

      If you read the top authors on the subject of tactical/military intelligence you'll find that the majority make convincing arguments that good intelligence is among the least important predictors of success in battle. counter-intuitively, other factors such as morale, logistics, and luck play more decisive roles.

  2. Link by Anonymous Coward · · Score: 1

    Link where?

  3. I got the source to Skynet that way by Anonymous Coward · · Score: 0

    I'm re-working it to version 2.0 currently.

  4. Remind me by 93+Escort+Wagon · · Score: 5, Insightful

    The people managing this data are the same ones many politicians think should be given a master key to all of our sensitive personal information, right?

    --
    #DeleteChrome
    1. Re:Remind me by i286NiNJA · · Score: 1

      No he makes a good point. The most fearful, career climbing, anal retentive weasels of our military and intelligence communities can't keep secrets and they're trying to convince us that master keys on all our data will only be used with the tightest of safeguards.

      Even if it wasn't a lie, all evidence indicates that they will fail to keep any sort of master keys from the hands of criminals or hostile governments.

  5. Come on by Anonymous Coward · · Score: 0

    Surely all that's needed is for it to happen once before everyone goes "o shit" and makes it part of standard procedure to prevent.

    Then I remind myself of SQL injection...

  6. Is anything secret by Anonymous Coward · · Score: 0

    Does anyone else wonder about the irony of our intelligence services claim that they will keep the private information they are collecting on all of us secret and used only for authorized purposes, when they can't seem to keep anything else private and a private in the army is given free access to sensitive state department cables for no apparent purpose?

  7. Intentional? by Anonymous Coward · · Score: 0

    Who knows that this is not intentional... I find it hard to believe that when AWS is offering private cloud and orgs like the NSA are extermely sensitive to leaks that some idiot would "accidentally" do this. Most likely, it was done intentionally, to the NSA's benefit.

    1. Re:Intentional? by Anonymous Coward · · Score: 0

      Or was left there by Snowden (or another whistleblower), but only recently discovered.

    2. Re:Intentional? by Anonymous Coward · · Score: 0

      "Seriously... In this day and age, do you really think that this is an accident?"

      Yes. In this day and age, such a fast army is working in the "intelligence" data business, that even if they got the best people, over 9 out of 10 won't be the best people. Such accidents and such care of sensitive information is inherent to the current nature of mass espionage and vast intelligence. It will keep happening.

    3. Re:Intentional? by Anonymous Coward · · Score: 0

      +4? Ever heard of a sandbox smarty?

    4. Re:Intentional? by Anonymous Coward · · Score: 0

      Seriously... In this day and age, do you really think that this is an accident?

      When I recently signed up with AWS, everything I provisioned as a "backend" component forced me to set an admin password to use.
      It takes an additional and intentional step to go back in and remove that password.

      Granted that additional step was available through the setup process, since a step or two later it let me setup other user accounts and it was that very screen that would also let me modify the admin account just created.

      Even when creating another user account for my db client to use, it had right there the usual input boxes for the username, description, and two boxes to set the password.

      Thinking back I'm not sure if a user account could be created without a password. It didn't even occur to me to try. It does have password and verification boxes to check what you entered matched, so you would think it won't let you leave them blank...

      But the point is if you go with the purest and simplest setup, you end up with one account with a password on it.
      Would someone desiring to remove that password even bother with making a lower privilege account where you actually have to setup what that account can do? Wouldn't you just "run with admin" as the simplest way to avoid pesky authentication errors?

    5. Re:Intentional? by AHuxley · · Score: 1

      Think like the US gov, contractors and mil.
      Its the 1950-70's. Vast amounts of data is been collected in real time globally. Total encryption would slow down translation and searching.
      What to do with all that data been kept on a secure base? Keep it in plain text so everyone with the correct clearance could read, search the globally collected material. From any other base or agency in the USA. While the UK was still sorting paper work and index cards the USA had real time, networked digital searching on powerful new computers.

      A lack of translators and skilled people to work on so much collected data became an issue.
      All any one person wanting to spy could do was walk out with paper, photographs, printed documents over time. Photocopy an entire aircraft design for another nation for cash page by page? Photocopy the US Vietnam war reports page by page?
      That secure network per site security worked well but it was not a really great system for the CIA. The CIA needed the databases on US mil/gov/workers/staff/private sector who could help with support complex long term missions for freedom that could never be mentioned to Congress or anyone.
      Unencrypted plain text access with no logs, no questions over all the networked US databases.
      To find a person who could fly to anywhere in the world, at night and resupply some CIA funded group in another nation doing lots for "freedom".
      So why not use contractors to keep the data? Bring in the private sector? No risk of an Iran–Contra affair computer discovery on always backed up gov networks https://en.wikipedia.org/wiki/...
      That allowed the private sector in and once very secure data sets to spread all over the USA on huge private networks. Why let the US gov work on their computer network when the politically connected private sector could do the same work for billions in funding? No more logs, questions about projects, missions.
      The results long term are what is been seen now.
      US gov networks kept the plain text past because it was easy to sort and collect.
      The private sector got given all that data that anyone can read, sort, understand to translate, index, add to other data from the private sector.
      Nobody really wants to think about security. That blocks different parts of the US gov, mil from access and paying the private sector for that project. Per project security slows down complex searching by the rest of the US gov/mil/other contractors.
      So data floats around unencrypted, on internet facing contractor networks with not much logging and not much security.

      Why no security? The private sector could install some really good systems to lock that data down, secure networks, track and block most malware intrusion attempts?
      Nobody wants to lock out other agency requests for the same data sets. Looking for that dream team of US mil and contractors to support freedom in another nation? Complex security might log the funding, names of the pilots, the front company aircraft used, contractors needed to load the aircraft in other nations, find the way very advanced weapons systems got supplied to the "rebels"...
      What if Congress requests a copy of that log of another Iran–Contra to support freedom using different nations?

      Better just to have the data sets with no security, no logs, no questions, nothing anyone in Congress can demand a decade later.
      The US clandestine services cannot trust any oversight by the US political system. So no data is logged, nothing kept, no complex logs on backup. Plain text exists as is for years and is searchable.
      Security is just a bad word for political oversight and questions later about missions that never officially existed and had no funding.
      Thats how the US gov.mil systems got to how they are now. Once the best in the 1960's for searching and data collection is now just a way of hiding missions from political oversight.
      Its worth more

      --
      Domestic spying is now "Benign Information Gathering"
    6. Re: Intentional? by Anonymous Coward · · Score: 0

      While this looks very convincing, it is only glossing about why plaintext is good for security and freedom. Could you expand on that some more?

  8. Soo... How might one find these by Anonymous Coward · · Score: 0
    So can I just attach a client to one of these unprotected storage buckets? Google a string?

    Asking for a friend...

  9. Who would have suspected by Anonymous Coward · · Score: 0

    I mean, no one would have ever guessed that The Cloud (tm) isn't some magical space where all your data is perfectly stored, just for you, without you doing a thing!

    It's almost as if it's part of a global network, and you need to do all the normal things to protect your data AND more, because it's all just SOMEONE ELSE'S COMPUTER.

    F'ing bureaucrats, f'ing government clouds, f'ing Amazon promising magic to f'ing idiots with budgets...

  10. Saddest part ... by CaptainDork · · Score: 1

    ...

    New NSA Leak ...

    --
    It little behooves the best of us to comment on the rest of us.
  11. Cloud != Secure by Anonymous Coward · · Score: 0

    You can't make a stupid-proof machine. The cloud is a machine.

    The only way to not have things stupidly handled on the cloud is to not have them on the cloud.
    Go re-read the red book.

  12. Intentional? by IMightB · · Score: 4, Insightful

    Seriously... In this day and age, do you really think that this is an accident? Unless more info is know, I'm inclined to believe that this is fully intentional, and any idiot that attempts to run this software is going to get what he deserves.

  13. this is good by Anonymous Coward · · Score: 0

    Anything that hurts the USA helps us.

    1. Re:this is good by mcswell · · Score: 1

      If the Visigoths (whoever they might be) invaded the US and brought it down, who would be the new Big Guy On The Block? You'd rather live with them dominating you?

  14. no! by AndyKron · · Score: 1

    It's a trap!

    1. Re:no! by sysrammer · · Score: 1

      I've got a bad feeling about this...

      --
      His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
    2. Re:no! by Anonymous Coward · · Score: 0

      Skynet belongs to the Nerds!!

      (brings battle-axe down upon restless zombie process)

  15. systematic problem in IT by kiviQr · · Score: 1

    Keep hiring consultants that take no ownership and inexpensive college guys then keep wondering why bad things happen.

    1. Re:systematic problem in IT by Fallen+Kell · · Score: 1

      That's not really the issue. The real issue is that it is all brought to you by the lowest cost bidder... There is a reason that many of these are the lowest cost bidder, because they are not paying to have real talent in their company to provide those services (as the real talent costs much more to hire and would not be anywhere near the lowest cost). As such, you get people who make mistakes like this.

      On the flip side, it is very difficult to quantify and otherwise rate the benefits of the various contractors placing a bid on performing this kind of work. Any metrics could only be from past performance, which effectively excludes new contractors from being able to make a proper bid, and even then, past performance does not directly dictate future performance (a key person may have left the company...).

      --
      We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
  16. Unmanaged by DarthVain · · Score: 4, Interesting

    More likely it was a bunch of contractors involved in a particular project that was unsuccessful and abandoned, leaving it "unmanaged". With the project over, and no people around that was involved anymore, probably no one even knew it it was out there. This is a common problem for large organizations that try to minimize the amount of IT staff on-hand, and outsource everything externally (not the leak necessarily, but the apparent lack of institutional awareness/knowledge). However on the books it looks like the employee footprint is smaller, which I guess is the point.

    1. Re:Unmanaged by i286NiNJA · · Score: 1

      More likely they just hired idiots. If the s3 bucket was ever managed at all it should never have been exposed without some access management in place. Amazon doesn't even make it hard.

    2. Re:Unmanaged by swb · · Score: 1

      It seems more likely that abandoned projects would have lost/forgotten passwords, not zero security at all on cloud services.

      I get passwords set to "password" or blank for internal-facing only systems, I see that about once in a while when I end up confronting mystery systems at clients. But most of the time the problem is nobody knows what the password is.

    3. Re:Unmanaged by mlw4428 · · Score: 1

      According to TFA, the developer of this system was a contractor and seeing as how the DoD wouldn't just use Amazon Cloud Anything for servers running sensitive data, it's reasonable to assume it was a contractor who did this.

    4. Re: Unmanaged by F.Ultra · · Score: 2

      So in other words it was exactly the people who would handle the master keys.

    5. Re:Unmanaged by Turmio · · Score: 1

      Sure, the cache may've been abandoned by a contractor, but still that does not change the point of the original question at all if you think about it a bit.

  17. download? by Anonymous Coward · · Score: 0

    any upload or torrent/magnet?

  18. It shouldn't be passworded by Anonymous Coward · · Score: 0

    The public funded this, the public should have access

  19. Red Army? by Anonymous Coward · · Score: 0

    Baader? Meinhoff?

    LAUNCH!

  20. Think how much grief Snowden could have avoided... by Glasswire · · Score: 1

    ... if he'd just put his info up anonymously this way. But instead he wanted to make sure there was journalistic curation by mejoro media orgs to limit info to stuff that proved his point about legal violations by NSA and other govt branches.
    Have to think he's bitter now.

  21. Maybe by Anonymous Coward · · Score: 0

    It was meant to be found.

  22. A Picture Is Worth a Thousand Words by chill · · Score: 2

    http://www.jklossner.com/humannature/

    John Klossner hit this on the head back in 2006.

    --
    Learning HOW to think is more important than learning WHAT to think.
  23. Other countries? by Anonymous Coward · · Score: 0

    Why don't we ever see leaks from other countries?

    1. Re: Other countries? by Anonymous Coward · · Score: 0

      Because we have better versions of all that shit?

    2. Re:Other countries? by sysrammer · · Score: 1

      Why don't we ever see leaks from other countries?

      Because they kill their leakers?

      --
      His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
    3. Re:Other countries? by AHuxley · · Score: 1

      They know what the MI6, NSA, CIA, GCHQ can do to computer networks that have to get imported.
      They don't use network computer in the same way for mil projects.
      A super computer can do calculations for mil systems.
      Dont put your entire mil system on an internet facing network for the NSA, CIA, GCHQ to read from in real time.
      Other nations have finally understood what the NSA and GCHQ did to their security in the 1950-1990's.
      Other nations spend millions on human spies entering the USA, UK over generations. Two generations later they have the cleared, totally trusted US/UK staff to enter the US and UK security services.
      The US and UK spend billions spying on digital network spying globally. Other nations know just not to have mil connected networks to spy on.

      Other nations are very careful who they hire to join their spy agencies/mil too. They hire only people they can trust politically and have some understating of who will stay loyal to their nation. Staff get tested so they do not walk out secrets for cash/pleasure at the first offer by CIA/MI6.
      Less of that risky contractor problem with spending problems, gambling, addictions, in need of a new friend.
      The US and UK virtue signal that their spy agencies are open to all applications and will totally trust and welcome anyone. Security considerations are now a distant second to been seen attracting all kinds of new staff.

      Very different ways of finding staff, keeping computers secure.
      The other issue was importing US and UK mil equipment and trusting it to work.
      Early 1980's Argentina found out too late that most of their new US/UK/NATO quality secure communications equipment was open to the GCHQ in real time.
      The only system that slowed the GCHQ down was a South African designed communications system. Why? It had been used in a real war by South Africa and had to actually work to keep South African troops safe from other nations very advance mil collection in Africa.
      Lesson most smart nations took away from that was to spread their human spies out globally and that Western export grade mil equipment is clandestine service back door junk.
      Other nations have had decades of been spied on totally to finally understand how digital collection works and just don't use networks open to spying.
      France lost all its embassy communications to the NSA and GCHQ during the 1950's. Was it human spies? Embassy not doing crypto to a good standard? Someone trusted back in the gov in France? Why was France not able to secure some big trade deal? Finally investigations found nothing was wrong with the human side of the gov, workers, staff. It was just the way the communications network was set up and not shielded that leaked plain text in real time.
      Another lesson learned that its not always staff, sometimes its the crypto and networks that is junk.

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re:Other countries? by Anonymous Coward · · Score: 0

      Maybe public service doesn't carry such demonic associations in other countries like it does apparently in the US. Where else there is even a discussion for minimizing the government that wasn't inspired, or even partially funded by a US based party? It's the same thing in the religious discussions, ideas and politics these days among the Protestant Christian circles. The ideas, they are being bandwagoned! And the academic theologians, they do nothing!

  24. Govt Program Naming Note. by mveloso · · Score: 1

    I vaguely remember seeing references and a diagram of Red Disk. As a data point, in general the communities will keep extending projects outwards along the same naming dimension, so expect programs named "gold disk," "blue disk," etc.

    Projects actually never fail in the way you'd think. Everyone learns a whole lot, then moves on to the next iteration.

    Red Disk itself was one of the first attempts at what's now called a data lake, I think. You can probably dig it out of google if you cared. There were one or two followup projects, all going in different directions.

  25. Let's stop pretending we went to the moon by ourlovecanlastforeve · · Score: 1

    Next thing you know someone will leak more photos of the sound stage where they filmed the moon landing.

  26. Re:Think how much grief Snowden could have avoided by Anonymous Coward · · Score: 0

    ... if he'd just put his info up anonymously this way. But instead he wanted to make sure there was journalistic curation by mejoro media orgs to limit info to stuff that proved his point about legal violations by NSA and other govt branches.
    Have to think he's bitter now.

    Snowden put a face on a monstrous scale government policy. Not a politician's face. I still wonder if Snowden was just a USGOV PSYOP the whole time. There seem to have been a few things I consider very important that he seems to have glossed over. As if his narrative helps bury some of the key (har har) issues all that much deeper. Although given how much facetime he's had, he'd have to be an Ace actor if he was on orders the whole time. Problem is I imagine with unlimited budget, USGOV can and does have many Ace actors on staff. Sure would be nice to see Snowden back in the U.S. Seems quite convenient from the gov conspiracy perspective that he is/was so unavailable for interviews. The theory could be the virtual-snowden-bots on stage with Schneier etc are part of the psyop.

    But mainly, whether that is paranoia or not, don't discount that he really did put a face on the issue. Part of the government narrative is that they are angels and not human beings when dealing with all the privacy invasion abilities and doings they are involved with. Snowden basically said- Hey folks, we're just a bunch of young adult pervs casually trading nudie pics from webcams people thought were off, and referring to it as LOVEINT.

    And then the issue passed. And there was a new normal. And there is no shock left sufficient to fundamentally address policy to the humanity of the perv spook angle. Sigh.

  27. Honeypot? by sfsp · · Score: 1

    Consider the possibility that this is information/disinformation they WANT to be out, without the responsibility of actually releasing it. Just a thought.