Defense Dept. Not Planning On Closing Security Hole That Resulted In Wikileaks Disclosure... Until 2013
from the but..-but...-kill-manning! dept
One of the big points that's been completely lost in the debate over Wikileaks and Bradley Manning allegedly leaking a bunch of government info to Wikileaks is just how easy it was to do so. Some reports have noted that millions of people had access to the same info, and it's quite likely that plenty of others "leaked" at least pieces of it (not necessarily to Wikileaks, but out into the world). Some are beginning to point out just how incredibly slow the Defense Department has been in trying to be more secure with its network. While they were quick to arrest Manning, actually doing something about how easy it was to leak took months. And, even worse, it looks like the major security holes in the system won't actually be closed until 2013. So, government leakers have a few more years...
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: defense department, security, wikileaks
Reader Comments
Subscribe: RSS
View by: Time | Thread
Every country with any sort of Intelligence agency
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
whatever
[ link to this | view in chronology ]
Re: whatever
This is just a typical example of Feyman's security maxim ( found here
"During the Manhattan Project, when physicist Richard Feynman pointed out physical security vulnerabilities, he was banned from the facility, rather than having the vulnerability dealt with (which would have been easy)."
[ link to this | view in chronology ]
Re: whatever
You forget the fundamental point. The magnitude of the punishment is irrelevant because most rulebreakers don't believe that they will be caught. If they did then even a modest punishment would suffice.
[ link to this | view in chronology ]
2013?
[ link to this | view in chronology ]
Re: 2013?
Either way, government transparency and accountability is NOT a problem, and it shouldn't be 'fixed'. It's a good thing.
[ link to this | view in chronology ]
Re: Re: 2013?
Actually, it is a problem. We need more transparency and accountability. Tools that aid us in this effort are welcomed. I'm working on one and I will put it up on git when I'm reasonably satisfied (hopefully, someone can help fix my pathetic code). I'm pretty optimistic that these tools will continually be made and improved.
[ link to this | view in chronology ]
Re: Re: Re: 2013?
That's exactly what he said, though it was open to misinterpretation. A slight change makes it clearer I think: "[Having] government transparency and accountability is NOT a problem, and it shouldn't be 'fixed'. It's a good thing." :-)
[ link to this | view in chronology ]
the real issue is that no one asked exactly *HOW* they were going to do it and they didnt offer that info willingly. this must be how!
aint it great to live in a country where politicians keep their campaign promises?!
[ link to this | view in chronology ]
No, really....
[ link to this | view in chronology ]
It doesn't matter
The real problem here is how many people have access to this information and how easily and anomalously it can be duplicated these days. It also doesn't help that the vast majority of this "classified" information should just be labeled "embarrassing" .
[ link to this | view in chronology ]
They have no idea how to secure the systems, so they have to take bids from the sweetheart companies, who will want tons of money. They will then award a contract, and skip doing background checks on the staff implementing "security". They then will end up overbudget and need more money to pay for their overages on their net connection uploading juicy bits to wikileaks. They will get the system in place, and then discover it creates more holes than it solves. The system will be scrapped, 4 years later, and they will reboot the project with another open bid process only open to the friends of the congress critters.
This is what happens when they try to use the buzz words to have the synergy happen and get results.
Easier answer, stop having 40 levels of secrets. Stop trying to make things secret that are not. We need to keep some things secret but not all of the junk out there needs to be, if you reduce the pool of things designated that way you can control the access better. Oh and disable flash drives and cd burners. *blink* I can has 100 million for consulting now?
[ link to this | view in chronology ]
Re:
- lol, I hadn't heard that Palin bumper sticker
- It looks like the design is already in place. It will take two years to fully deploy. The expertise is there, however those who have command authority may not understand computer security. The NSA, which is part of DoD, certainly understands security as well as anyone. The NSA is also tasked with protecting the federal government's computer networks. The DoD's approach to security has been lackadaisical considering they have some of the best experts on the planet. Manning's comment in the Manning/Lamo chat logs, shows the NSA was involved in monitoring SIPRNet for external attacks but looking for internal anomalies was not a priority. A Host Based Security System (HBSS) will be complete in June of this year. This was 40% in place (only in continental US) already on SIPRNet at the time of Manning's leak. This monitors transfers to removable media. The DoD will incorporate the NSA designed Audit Extraction Module (AEM) to HBSS.
The crux of the problem is that SOME computers (12%) with access to SIPRNet have to allow data transfers to removable media (Sneakernet). This is needed to allow sharing of information with coalition partners, weapons systems, and other systems out in the battlefield that don't have access to SIPRNet. Their solution is to monitor and audit these transfers.
- They shouldn't have to do background checks. It may seem counter-intuitive to lay people, but the security design should be completely open. What is meant by the pejorative phrase "security through obscurity", is that keeping the design of a security system secret is false security. It shouldn't matter if Al Qaeda or the Taliban have full access to the blueprints of security. The real security is through maintaining the secrecy of passphrases, keys, or digital certificates. Being an open design allows important feedback from security experts outside of the US military and government. This is how AES was designed. Unfortunately, a lot of military and government officials (corporate as well) still believe in security through obscurity. However, it is needed in situations where there is not, and never will be, a good technical solution. Case in point, DRM.
- I am not sure if you are just being sarcastic here but I don't see this as at all likely. It is easy to have a cynical viewpoint about security having witnessed nearly two decades of horrendous security problems in operating systems, browsers and other internet applications. Doing security correctly to eliminate all vulnerabilities is very hard, but security software doesn't usually create new holes.
- I am not at all sure having 40 levels of secrets (and also compartmentalized by need to know) is a problem. Certainly most security infrastructure is capable of handling hierarchical access. So, 40 levels is no different than 2. It can viewed as a way to allow as much access as desired as well as a way of allowing only as little access as desired.
- Total agreement! Insider leaks are the hardest to prevent. The view that something in particular shouldn't be secret is the motivation for leaking. My gripe with Bradley Manning is that he (allegedly) released far more information than he could have possibly reviewed himself. Given that, I don't fully trust his motivation
- A malware infected flash drive was used to target US military computer systems in 2008. As a result, flash drives were temporarily banned. Malware can be controlled by disabling the AutoPlay function under Windows. I find it odd that writable CDs and DVDs weren't similarly banned. Yes, do it for the 88% of SIPRNet computers that don't need Sneakernet.
I would like my 100 million as well.
[ link to this | view in chronology ]
Re: Re:
My fear is that the system would be the same as everything else congress gets to touch.
We do not want this new plane, its a waste. But they ram the money and funding through and force it to continue to pay back some backroom deal.
Someone gets a wise idea about what it SHOULD do from someones glossy presentation, and it gets diluted as things get shoved into it.
The extra levels of security was mainly a dig about what was "classified" that was leaked in the Manning case. It is embarrassing but hardly handing out the names and locations of CIA operatives.
While Manning might not have been able to review all of the information, some of what was contained in the leaks is a revelation that "our" Government is acting in ways that they themselves publicly denounce. That level of hypocrisy might have been enough to help motivate him further.
It seems sad that it took being embarrassed like this to get them to actually take security seriously. And part of me wonders where did any money allocated to hardening their systems before get spent.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Isn't this the same government...
The word incentive becomes ever more powerful as we look into the inanity that is US government.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
The cost for this would be a drop in a very large bucket taking into account the DoD's total budget. Scaling up is not a big problem. Facebook authenticates more than 500 million. This could be implemented as a temporary solution while the red tape unwinds and the endless details are discussed.
The DoD decided not to go this way which means someone or some committee decided it was enough, for the next year, to further restrict Sneakernet capability
[ link to this | view in chronology ]
Re: Re: Re: Re:
I have no idea. It seems quite possible that the person or people who have to decide on this don't have the authority to bypass anything, and the people who have the authority to cut the red tape lack either the knowledge or the interest to get involved.
The DoD decided not to go this way which means someone or some committee decided it was enough, for the next year, to further restrict Sneakernet capability
Yeah, taking the easy way out. Gee, not like that's going to come to bite them, huh?
[ link to this | view in chronology ]
SneakerNet was and is still needed. They point out the malware incident in 2008 triggered by an infected thumb drive. Malware can be controlled by disabling autorun capability. I am not sure if that was addressed. The DOD apparently decided to restrict thumb drives but still allowed writeable CDs. After Wikileaks, they are restricting further, only allowing 12% of their computers Sneakernet capability and somehow(?) monitoring people and transactions on these. This is enough, in itself, to have prevented a Bradley Manning from leaking mass amounts of material. Someone else, a little more trusted, can still do a mass leak.
What they are ultimately doing is making multiple classification levels for info and assigning everyone a capability to access some subset of those levels. They are doing this by creating a PKI and issuing cards with digital certificates. DoD, apparently, did not want to do passwords. I am a bit dumbfounded if they don't do two-factor authentication. The State Dept. has already moved their cables over to JWICS (the top secret network). I think that is overreacting. Maybe it's temporary. Certainly, the vast majority of those don't deserve top secret listing.
The final part is to put in a logging and auditing capability to monitor data transactions. The threat of monitoring is supposed to deter leaking.
They recognize there is a need to share information, particularly after 9/11. From the outside, it looks like they just let anyone with access to SIPRnet full access to all information stored on it. The full system won't be finished till 2013, but that doesn't mean that there is no more security than there was a year ago. The algorithms needed to implement such a system are well known. There are several different authentication systems in use elsewhere. The card system means it will take time to deploy.
One of the NSA's responsibilities is developing computer and network security (e.g. SE Linux (Security Enhanced Linux) is derived from work done at the NSA). The DoD will be using an auditing system developed by the NSA. There is an interesting quote in the Lamo/Manning chat logs.
i even asked the NSA guy if he could find any suspicious activity coming out of local networks… he shrugged and said… “its not a priority”
Nobody expected a military insider would do a mass leak. That was naive.
[ link to this | view in chronology ]