Slashdot Mirror

← Back to Stories (view on slashdot.org)

New NSA Leak Exposes Red Disk, the Army's Failed Intelligence System (zdnet.com)

Posted by msmash on from the so-nothing-new? dept.

Zack Whittaker, reporting for ZDNet: The contents of a highly sensitive hard drive belonging to a division of the National Security Agency have been left online. The virtual disk image contains over 100 gigabytes of data from an Army intelligence project, codenamed "Red Disk." The disk image belongs to the US Army's Intelligence and Security Command, known as INSCOM, a division of both the Army and the NSA. The disk image was left on an unlisted but public Amazon Web Services storage server, without a password, open for anyone to download. Unprotected storage buckets have become a recurring theme in recent data leaks and exposures. In the past year alone, Accenture, Verizon, and Viacom, and several government departments, were all dinged by unsecured data.

37 of 67 comments (clear)

  1. Mandatory Protection? by bunyip · · Score: 1

    Whatever happened to the DoD Orange Book levels? I would have thought that they'd have mandatory protection on all their data.

    A.

    1. Re:Mandatory Protection? by ShanghaiBill · · Score: 5, Interesting

      Nearly all classified information is mundane garbage that nobody cares about. This "red disk" is a good example. TFA says it contains "sensitive information" but fails to list a single item of any significance.

      I had a "secret" clearance for decades, and I would regularly see classified reports about stuff that had been in the newspaper months before. Even more ridiculous, some of these reports were reporting that a newspaper had reported on a report that was not supposed to be reported on.

      More than 5 million Americans have security clearances. There are huge warehouses and data centers filled with "secrets". Meanwhile, our national debt is $20.5 trillion dollars.

    2. Re:Mandatory Protection? by gnick · · Score: 1

      I had a "secret" clearance for decades, and I would regularly see classified reports about stuff that had been in the newspaper months before. Even more ridiculous, some of these reports were reporting that a newspaper had reported on a report that was not supposed to be reported on.

      I had a DoE Q clearance for a little over a decade with SCI for part of that. I did see information that was classified published publicly. I also saw information published publicly that would have been classified if it was accurate. Confirmation of the information, true or false, was classified as it should be.

      Nearly all classified information is mundane garbage that nobody cares about.

      I'll agree with that, but there are very important exceptions.

      --
      He's getting rather old, but he's a good mouse.
    3. Re: Mandatory Protection? by gnick · · Score: 2

      Good idea. No secrets. We'll just publish our nuclear weapon designs online so that everyone's on a level playing field.

      --
      He's getting rather old, but he's a good mouse.
    4. Re: Mandatory Protection? by i286NiNJA · · Score: 1

      This is the exact opposite of what Sun Tsu said in The Art of War. It's hilariously wrong even if the US military is struggling to classify information in an effective manner. I've never heard this cute little quote but I suspect you lifted it from somewhere.

      Where in the world did you hear this?

    5. Re: Mandatory Protection? by Megol · · Score: 1

      Now that's in top 10 of my "so stupid it can't be real" list this year. Hope you like sharing room with Trump, the North Korea news agency, "SJWs", anti-SJWs and misc. conspiracy theorists.

    6. Re: Mandatory Protection? by sysrammer · · Score: 1

      Is effective troll! You should get promotion.

      --
      His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
    7. Re: Mandatory Protection? by rickb928 · · Score: 1

      Exactly. Sun Tsu understood warfare long ago, and his teachings are as relevant today as they were in his lifetime. Of course, to further ensure the success of your operation when secrecy is a necessary condition, it's best to mislead all other parties, the enemy, your and their media, your domestic opposition, even possibly some of your command structure* and other units of your forces, allies, and otherwise uninvolved parties. They will be desperate for information, you should control that information whenever possible. Even if secrecy isn't mission critical.

      The weapons may change, but the intentions are the same at some level. War is war.

      * If your command structure requires absolute knowledge of all facets and details, they are a risk. Competent commanders will give you an objective and avoid interfering, in a perfect situation. War is, however, rarely perfect. Manage them.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    8. Re:Mandatory Protection? by Frosty+Piss · · Score: 1

      Nearly all classified information is mundane garbage that nobody cares about.

      I'll agree with that, but there are very important exceptions.

      Indeed. But of course as a Q Clarence guy, you know that 1000 little pieces of "mundane" but related secrets equals one very interesting not so mundane secret...

      --
      If you want news from today, you have to come back tomorrow.
    9. Re: Mandatory Protection? by rtb61 · · Score: 1

      Now if that is what they were trying to secure things would not be so bad but we all know what they are really trying so hard to secure, all the corruption and graft going on at the highest level and all the purposefully generated bullshit to feed it. Nuclear weapon design, yeah because why, with out the industrial and technical capacity even with the design you can not make one and with the industrial and technical capacity you can make your own. When it comes to nuclear weapons, size counts for fuck all, once it is big enough, it is big enough and any bigger just makes the rubble 'er' smaller. Secrets today are all about hiding rampant corruption.

      --
      Chaos - everything, everywhere, everywhen
    10. Re: Mandatory Protection? by BoogieChile · · Score: 1

      Yeah, those Normandy landing were a complete washout, weren't they, Kamerad?

    11. Re: Mandatory Protection? by aybiss · · Score: 1

      It's so cute that you think that would actually make the world less safe than it is right now.

      --
      It's OK Bender, there's no such thing as 2.
    12. Re: Mandatory Protection? by mcswell · · Score: 1

      That has to be the dumbest statement I've heard in a long time. Try Pearl Harbor, the assassination of Admiral Yamamoto, the landings on Normandy, all of which were maintained as secrets until they happened (and the way the assassination of Yamamoto was carried out--by the US reading the Japanese code--remained a secret for long after). Certainly some military operations fail because someone broke the secrecy; the the Germans lost the Battle of the Atlantic in large part because of that. But it's not a foregone conclusion.

  2. Link by Anonymous Coward · · Score: 1

    Link where?

  3. Remind me by 93+Escort+Wagon · · Score: 5, Insightful

    The people managing this data are the same ones many politicians think should be given a master key to all of our sensitive personal information, right?

    --
    #DeleteChrome
    1. Re:Remind me by i286NiNJA · · Score: 1

      No he makes a good point. The most fearful, career climbing, anal retentive weasels of our military and intelligence communities can't keep secrets and they're trying to convince us that master keys on all our data will only be used with the tightest of safeguards.

      Even if it wasn't a lie, all evidence indicates that they will fail to keep any sort of master keys from the hands of criminals or hostile governments.

  4. Saddest part ... by CaptainDork · · Score: 1

    ...

    New NSA Leak ...

    --
    It little behooves the best of us to comment on the rest of us.
  5. Intentional? by IMightB · · Score: 4, Insightful

    Seriously... In this day and age, do you really think that this is an accident? Unless more info is know, I'm inclined to believe that this is fully intentional, and any idiot that attempts to run this software is going to get what he deserves.

  6. no! by AndyKron · · Score: 1

    It's a trap!

    1. Re:no! by sysrammer · · Score: 1

      I've got a bad feeling about this...

      --
      His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
  7. systematic problem in IT by kiviQr · · Score: 1

    Keep hiring consultants that take no ownership and inexpensive college guys then keep wondering why bad things happen.

    1. Re:systematic problem in IT by Fallen+Kell · · Score: 1

      That's not really the issue. The real issue is that it is all brought to you by the lowest cost bidder... There is a reason that many of these are the lowest cost bidder, because they are not paying to have real talent in their company to provide those services (as the real talent costs much more to hire and would not be anywhere near the lowest cost). As such, you get people who make mistakes like this.

      On the flip side, it is very difficult to quantify and otherwise rate the benefits of the various contractors placing a bid on performing this kind of work. Any metrics could only be from past performance, which effectively excludes new contractors from being able to make a proper bid, and even then, past performance does not directly dictate future performance (a key person may have left the company...).

      --
      We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
  8. Unmanaged by DarthVain · · Score: 4, Interesting

    More likely it was a bunch of contractors involved in a particular project that was unsuccessful and abandoned, leaving it "unmanaged". With the project over, and no people around that was involved anymore, probably no one even knew it it was out there. This is a common problem for large organizations that try to minimize the amount of IT staff on-hand, and outsource everything externally (not the leak necessarily, but the apparent lack of institutional awareness/knowledge). However on the books it looks like the employee footprint is smaller, which I guess is the point.

    1. Re:Unmanaged by i286NiNJA · · Score: 1

      More likely they just hired idiots. If the s3 bucket was ever managed at all it should never have been exposed without some access management in place. Amazon doesn't even make it hard.

    2. Re:Unmanaged by swb · · Score: 1

      It seems more likely that abandoned projects would have lost/forgotten passwords, not zero security at all on cloud services.

      I get passwords set to "password" or blank for internal-facing only systems, I see that about once in a while when I end up confronting mystery systems at clients. But most of the time the problem is nobody knows what the password is.

    3. Re:Unmanaged by mlw4428 · · Score: 1

      According to TFA, the developer of this system was a contractor and seeing as how the DoD wouldn't just use Amazon Cloud Anything for servers running sensitive data, it's reasonable to assume it was a contractor who did this.

    4. Re: Unmanaged by F.Ultra · · Score: 2

      So in other words it was exactly the people who would handle the master keys.

    5. Re:Unmanaged by Turmio · · Score: 1

      Sure, the cache may've been abandoned by a contractor, but still that does not change the point of the original question at all if you think about it a bit.

  9. Think how much grief Snowden could have avoided... by Glasswire · · Score: 1

    ... if he'd just put his info up anonymously this way. But instead he wanted to make sure there was journalistic curation by mejoro media orgs to limit info to stuff that proved his point about legal violations by NSA and other govt branches.
    Have to think he's bitter now.

  10. A Picture Is Worth a Thousand Words by chill · · Score: 2

    http://www.jklossner.com/humannature/

    John Klossner hit this on the head back in 2006.

    --
    Learning HOW to think is more important than learning WHAT to think.
  11. Re:Other countries? by sysrammer · · Score: 1

    Why don't we ever see leaks from other countries?

    Because they kill their leakers?

    --
    His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
  12. Re:Intentional? by AHuxley · · Score: 1

    Think like the US gov, contractors and mil.
    Its the 1950-70's. Vast amounts of data is been collected in real time globally. Total encryption would slow down translation and searching.
    What to do with all that data been kept on a secure base? Keep it in plain text so everyone with the correct clearance could read, search the globally collected material. From any other base or agency in the USA. While the UK was still sorting paper work and index cards the USA had real time, networked digital searching on powerful new computers.

    A lack of translators and skilled people to work on so much collected data became an issue.
    All any one person wanting to spy could do was walk out with paper, photographs, printed documents over time. Photocopy an entire aircraft design for another nation for cash page by page? Photocopy the US Vietnam war reports page by page?
    That secure network per site security worked well but it was not a really great system for the CIA. The CIA needed the databases on US mil/gov/workers/staff/private sector who could help with support complex long term missions for freedom that could never be mentioned to Congress or anyone.
    Unencrypted plain text access with no logs, no questions over all the networked US databases.
    To find a person who could fly to anywhere in the world, at night and resupply some CIA funded group in another nation doing lots for "freedom".
    So why not use contractors to keep the data? Bring in the private sector? No risk of an Iran–Contra affair computer discovery on always backed up gov networks https://en.wikipedia.org/wiki/...
    That allowed the private sector in and once very secure data sets to spread all over the USA on huge private networks. Why let the US gov work on their computer network when the politically connected private sector could do the same work for billions in funding? No more logs, questions about projects, missions.
    The results long term are what is been seen now.
    US gov networks kept the plain text past because it was easy to sort and collect.
    The private sector got given all that data that anyone can read, sort, understand to translate, index, add to other data from the private sector.
    Nobody really wants to think about security. That blocks different parts of the US gov, mil from access and paying the private sector for that project. Per project security slows down complex searching by the rest of the US gov/mil/other contractors.
    So data floats around unencrypted, on internet facing contractor networks with not much logging and not much security.

    Why no security? The private sector could install some really good systems to lock that data down, secure networks, track and block most malware intrusion attempts?
    Nobody wants to lock out other agency requests for the same data sets. Looking for that dream team of US mil and contractors to support freedom in another nation? Complex security might log the funding, names of the pilots, the front company aircraft used, contractors needed to load the aircraft in other nations, find the way very advanced weapons systems got supplied to the "rebels"...
    What if Congress requests a copy of that log of another Iran–Contra to support freedom using different nations?

    Better just to have the data sets with no security, no logs, no questions, nothing anyone in Congress can demand a decade later.
    The US clandestine services cannot trust any oversight by the US political system. So no data is logged, nothing kept, no complex logs on backup. Plain text exists as is for years and is searchable.
    Security is just a bad word for political oversight and questions later about missions that never officially existed and had no funding.
    Thats how the US gov.mil systems got to how they are now. Once the best in the 1960's for searching and data collection is now just a way of hiding missions from political oversight.
    Its worth more

    --
    Domestic spying is now "Benign Information Gathering"
  13. Re:Other countries? by AHuxley · · Score: 1

    They know what the MI6, NSA, CIA, GCHQ can do to computer networks that have to get imported.
    They don't use network computer in the same way for mil projects.
    A super computer can do calculations for mil systems.
    Dont put your entire mil system on an internet facing network for the NSA, CIA, GCHQ to read from in real time.
    Other nations have finally understood what the NSA and GCHQ did to their security in the 1950-1990's.
    Other nations spend millions on human spies entering the USA, UK over generations. Two generations later they have the cleared, totally trusted US/UK staff to enter the US and UK security services.
    The US and UK spend billions spying on digital network spying globally. Other nations know just not to have mil connected networks to spy on.

    Other nations are very careful who they hire to join their spy agencies/mil too. They hire only people they can trust politically and have some understating of who will stay loyal to their nation. Staff get tested so they do not walk out secrets for cash/pleasure at the first offer by CIA/MI6.
    Less of that risky contractor problem with spending problems, gambling, addictions, in need of a new friend.
    The US and UK virtue signal that their spy agencies are open to all applications and will totally trust and welcome anyone. Security considerations are now a distant second to been seen attracting all kinds of new staff.

    Very different ways of finding staff, keeping computers secure.
    The other issue was importing US and UK mil equipment and trusting it to work.
    Early 1980's Argentina found out too late that most of their new US/UK/NATO quality secure communications equipment was open to the GCHQ in real time.
    The only system that slowed the GCHQ down was a South African designed communications system. Why? It had been used in a real war by South Africa and had to actually work to keep South African troops safe from other nations very advance mil collection in Africa.
    Lesson most smart nations took away from that was to spread their human spies out globally and that Western export grade mil equipment is clandestine service back door junk.
    Other nations have had decades of been spied on totally to finally understand how digital collection works and just don't use networks open to spying.
    France lost all its embassy communications to the NSA and GCHQ during the 1950's. Was it human spies? Embassy not doing crypto to a good standard? Someone trusted back in the gov in France? Why was France not able to secure some big trade deal? Finally investigations found nothing was wrong with the human side of the gov, workers, staff. It was just the way the communications network was set up and not shielded that leaked plain text in real time.
    Another lesson learned that its not always staff, sometimes its the crypto and networks that is junk.

    --
    Domestic spying is now "Benign Information Gathering"
  14. Govt Program Naming Note. by mveloso · · Score: 1

    I vaguely remember seeing references and a diagram of Red Disk. As a data point, in general the communities will keep extending projects outwards along the same naming dimension, so expect programs named "gold disk," "blue disk," etc.

    Projects actually never fail in the way you'd think. Everyone learns a whole lot, then moves on to the next iteration.

    Red Disk itself was one of the first attempts at what's now called a data lake, I think. You can probably dig it out of google if you cared. There were one or two followup projects, all going in different directions.

  15. Let's stop pretending we went to the moon by ourlovecanlastforeve · · Score: 1

    Next thing you know someone will leak more photos of the sound stage where they filmed the moon landing.

  16. Re:this is good by mcswell · · Score: 1

    If the Visigoths (whoever they might be) invaded the US and brought it down, who would be the new Big Guy On The Block? You'd rather live with them dominating you?

  17. Honeypot? by sfsp · · Score: 1

    Consider the possibility that this is information/disinformation they WANT to be out, without the responsibility of actually releasing it. Just a thought.