Defense Dept. Not Planning On Closing Security Hole That Resulted In Wikileaks Disclosure... Until 2013

from the but..-but...-kill-manning! dept

One of the big points that's been completely lost in the debate over Wikileaks and Bradley Manning allegedly leaking a bunch of government info to Wikileaks is just how easy it was to do so. Some reports have noted that millions of people had access to the same info, and it's quite likely that plenty of others "leaked" at least pieces of it (not necessarily to Wikileaks, but out into the world). Some are beginning to point out just how incredibly slow the Defense Department has been in trying to be more secure with its network. While they were quick to arrest Manning, actually doing something about how easy it was to leak took months. And, even worse, it looks like the major security holes in the system won't actually be closed until 2013. So, government leakers have a few more years...


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Anonymous Coward, Apr 11th, 2011 @ 6:31am

    Every country with any sort of Intelligence agency

    would have had access to all this stuff long ago. A oupl eof hundred quid would have bought it for them.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Techfred, Apr 11th, 2011 @ 7:05am

    I thought this wikileaks business was over. To be honest I'm quite tired of hearing about it. The government should just be transparent and disclose how they feel about wiki leaks. They have given themselves the right to do whatever they choose regarding national security. No use pretending.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      aldestrawk (profile), Apr 12th, 2011 @ 10:34am

      Re:

      Wikileaks has 261,000 State Department cables. As of today, 6693 have been released. Ones assumes that Wikileaks and the 5 newspapers that have access to the full set, are releasing the most interesting ones first. This will be going on for months if not years.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 11th, 2011 @ 7:17am

    whatever

    If someone put some cookies in a sealed glass box at my workplace, then made me sign a dozen forms stating that I could be executed for treason if I ate any of the cookies, I think that would be enough security to prevent me from eating them until 2013 when they used bulletproof lexan for the box.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Richard (profile), Apr 11th, 2011 @ 7:56am

      Re: whatever

      And your point is ?

      This is just a typical example of Feyman's security maxim ( found here

      "During the Manhattan Project, when physicist Richard Feynman pointed out physical security vulnerabilities, he was banned from the facility, rather than having the vulnerability dealt with (which would have been easy)."

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Richard (profile), Apr 11th, 2011 @ 8:00am

      Re: whatever

      If someone put some cookies in a sealed glass box at my workplace, then made me sign a dozen forms stating that I could be executed for treason if I ate any of the cookies, I think that would be enough security to prevent me from eating them until 2013 when they used bulletproof lexan for the box.

      You forget the fundamental point. The magnitude of the punishment is irrelevant because most rulebreakers don't believe that they will be caught. If they did then even a modest punishment would suffice.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    NullOp, Apr 11th, 2011 @ 7:24am

    2013?

    It doesn't matter as the world ends next year!

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      James Carmichael, Apr 11th, 2011 @ 8:48am

      Re: 2013?

      Yeah, 2013 sounds just far enough away for people to forget there was a promise made back in 2011 about fixing the networks. In 2013, things will have changed enough so that they can either fix the problem, or more likely just shrug it off again saying "well we promised something two years ago, but that was two years ago, and now is now, so we just won't do anything."

      Either way, government transparency and accountability is NOT a problem, and it shouldn't be 'fixed'. It's a good thing.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        coldbrew, Apr 11th, 2011 @ 9:33am

        Re: Re: 2013?

        Either way, government transparency and accountability is NOT a problem, and it shouldn't be 'fixed'. It's a good thing.

        Actually, it is a problem. We need more transparency and accountability. Tools that aid us in this effort are welcomed. I'm working on one and I will put it up on git when I'm reasonably satisfied (hopefully, someone can help fix my pathetic code). I'm pretty optimistic that these tools will continually be made and improved.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          nasch (profile), Apr 12th, 2011 @ 4:47am

          Re: Re: Re: 2013?

          Actually, it is a problem. We need more transparency and accountability.

          That's exactly what he said, though it was open to misinterpretation. A slight change makes it clearer I think: "[Having] government transparency and accountability is NOT a problem, and it shouldn't be 'fixed'. It's a good thing." :-)

           

          reply to this | link to this | view in chronology ]

  •  
    icon
    harbingerofdoom (profile), Apr 11th, 2011 @ 7:25am

    see, that delay is just the current administration keeping their promise of more transparency in government.

    the real issue is that no one asked exactly *HOW* they were going to do it and they didnt offer that info willingly. this must be how!

    aint it great to live in a country where politicians keep their campaign promises?!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    NullOp, Apr 11th, 2011 @ 7:28am

    No, really....

    Security won't be fixed till 2013? WHY, are we wasting money paying these blockheads? MY and YOUR tax dollars, bazillions of them, are being spent recklessly! Time to change the guard!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Jim L, Apr 11th, 2011 @ 8:03am

    It doesn't matter

    They should take a lesson of what not to do from the TSA. Spending all your energy worrying about the last threat doesn't really help you much in dealing with the next one.

    The real problem here is how many people have access to this information and how easily and anomalously it can be duplicated these days. It also doesn't help that the vast majority of this "classified" information should just be labeled "embarrassing" .

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 11th, 2011 @ 9:47am

    - Shouldn't matter as the world ends in 2012. This explains the Palin 2012 10,000 Mayans can't be wrong bumper stickers.

    They have no idea how to secure the systems, so they have to take bids from the sweetheart companies, who will want tons of money. They will then award a contract, and skip doing background checks on the staff implementing "security". They then will end up overbudget and need more money to pay for their overages on their net connection uploading juicy bits to wikileaks. They will get the system in place, and then discover it creates more holes than it solves. The system will be scrapped, 4 years later, and they will reboot the project with another open bid process only open to the friends of the congress critters.

    This is what happens when they try to use the buzz words to have the synergy happen and get results.

    Easier answer, stop having 40 levels of secrets. Stop trying to make things secret that are not. We need to keep some things secret but not all of the junk out there needs to be, if you reduce the pool of things designated that way you can control the access better. Oh and disable flash drives and cd burners. *blink* I can has 100 million for consulting now?

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      aldestrawk (profile), Apr 12th, 2011 @ 5:34pm

      Re:

      I will respond to your comments one at a time.


      - lol, I hadn't heard that Palin bumper sticker


      - It looks like the design is already in place. It will take two years to fully deploy. The expertise is there, however those who have command authority may not understand computer security. The NSA, which is part of DoD, certainly understands security as well as anyone. The NSA is also tasked with protecting the federal government's computer networks. The DoD's approach to security has been lackadaisical considering they have some of the best experts on the planet. Manning's comment in the Manning/Lamo chat logs, shows the NSA was involved in monitoring SIPRNet for external attacks but looking for internal anomalies was not a priority. A Host Based Security System (HBSS) will be complete in June of this year. This was 40% in place (only in continental US) already on SIPRNet at the time of Manning's leak. This monitors transfers to removable media. The DoD will incorporate the NSA designed Audit Extraction Module (AEM) to HBSS.
      The crux of the problem is that SOME computers (12%) with access to SIPRNet have to allow data transfers to removable media (Sneakernet). This is needed to allow sharing of information with coalition partners, weapons systems, and other systems out in the battlefield that don't have access to SIPRNet. Their solution is to monitor and audit these transfers.


      - They shouldn't have to do background checks. It may seem counter-intuitive to lay people, but the security design should be completely open. What is meant by the pejorative phrase "security through obscurity", is that keeping the design of a security system secret is false security. It shouldn't matter if Al Qaeda or the Taliban have full access to the blueprints of security. The real security is through maintaining the secrecy of passphrases, keys, or digital certificates. Being an open design allows important feedback from security experts outside of the US military and government. This is how AES was designed. Unfortunately, a lot of military and government officials (corporate as well) still believe in security through obscurity. However, it is needed in situations where there is not, and never will be, a good technical solution. Case in point, DRM.


      - I am not sure if you are just being sarcastic here but I don't see this as at all likely. It is easy to have a cynical viewpoint about security having witnessed nearly two decades of horrendous security problems in operating systems, browsers and other internet applications. Doing security correctly to eliminate all vulnerabilities is very hard, but security software doesn't usually create new holes.


      - I am not at all sure having 40 levels of secrets (and also compartmentalized by need to know) is a problem. Certainly most security infrastructure is capable of handling hierarchical access. So, 40 levels is no different than 2. It can viewed as a way to allow as much access as desired as well as a way of allowing only as little access as desired.


      - Total agreement! Insider leaks are the hardest to prevent. The view that something in particular shouldn't be secret is the motivation for leaking. My gripe with Bradley Manning is that he (allegedly) released far more information than he could have possibly reviewed himself. Given that, I don't fully trust his motivation


      - A malware infected flash drive was used to target US military computer systems in 2008. As a result, flash drives were temporarily banned. Malware can be controlled by disabling the AutoPlay function under Windows. I find it odd that writable CDs and DVDs weren't similarly banned. Yes, do it for the 88% of SIPRNet computers that don't need Sneakernet.

      I would like my 100 million as well.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Apr 12th, 2011 @ 8:52pm

        Re: Re:

        I'll go halfsies on it with ya.

        My fear is that the system would be the same as everything else congress gets to touch.

        We do not want this new plane, its a waste. But they ram the money and funding through and force it to continue to pay back some backroom deal.

        Someone gets a wise idea about what it SHOULD do from someones glossy presentation, and it gets diluted as things get shoved into it.

        The extra levels of security was mainly a dig about what was "classified" that was leaked in the Manning case. It is embarrassing but hardly handing out the names and locations of CIA operatives.

        While Manning might not have been able to review all of the information, some of what was contained in the leaks is a revelation that "our" Government is acting in ways that they themselves publicly denounce. That level of hypocrisy might have been enough to help motivate him further.

        It seems sad that it took being embarrassed like this to get them to actually take security seriously. And part of me wonders where did any money allocated to hardening their systems before get spent.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Apr 13th, 2011 @ 8:56pm

          Re: Re: Re:

          Just a note, It would have been easier to read my response if the lines at the beginning of each of my paragraphs weren't deleted. They were the references in your comment but I enclosed them in "" forgetting that this would interpreted as HTML, and illegal HTML at that.

           

          reply to this | link to this | view in chronology ]

          •  
            icon
            aldestrawk (profile), Apr 13th, 2011 @ 9:00pm

            Re: Re: Re: Re:

            Hmm.. I enclosed them in lesser than and greater than symbols which are always interpreted as HTML. Illegal stuff is deleted.

             

            reply to this | link to this | view in chronology ]

  •  
    icon
    Jordan (profile), Apr 11th, 2011 @ 11:58am

    They are going to secure the information behind the NYT Paywall.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Jay (profile), Apr 11th, 2011 @ 8:32pm

    Isn't this the same government...

    These are the same people that allowed one man to swindle them for YEARS based on the same faulty programming software. It was better to pay him than admit a mistake, correct?

    The word incentive becomes ever more powerful as we look into the inanity that is US government.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 11th, 2011 @ 9:40pm

    Implementation of controls within an organization as widely dispersed as the DoD is no trivial matter. Two years to implement such controls (which involves much more than just changes to IT systems) is hardly unreasonable.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      aldestrawk (profile), Apr 12th, 2011 @ 3:04am

      Re:

      I have to disagree. They could have a system in a couple of weeks had they gone with password/passphrase based authentication. There a several types of authentication servers available. You can scale up by having multiple servers. Multiple classification levels can be implemented with group access. The time consuming part is assigning documents to groups. However, you could start with a crude mass assignment and make adjustments without bringing the system down. As long as everyone can remember their passphrase under the stress of warfare, this should work.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        nasch (profile), Apr 12th, 2011 @ 4:53am

        Re: Re:

        lol, you think it would be possible to deploy an IT solution across the entire defense department in two weeks?? That is very very far from the reality. Consider an organization of say 50 people or less. Even with no red tape at all, you have to analyze requirements, design a solution, specify, order and receive hardware if necessary, and develop, test, and deploy software. *Maybe* you could do that in two weeks at that 50-person company. Add another few hundred thousand people and a few million lines of government regulations, and I'm also not surprised two weeks becomes two years.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          aldestrawk (profile), Apr 12th, 2011 @ 10:13am

          Re: Re: Re:

          I'm a technical person, so forgive me if I do not add in a bureaucracy requirement. I would assume that if the DoD felt there was an urgency to this, red tape could have been bypassed to put, at least an initial solution, in place. Authentication algorithms and software is not a new technology. Solutions have already been designed. The DoD could have adopted either Kerberos or RADIUS as a solution to gain access, at a rough grained level, to entire servers as a first step. This is done on top of an existing infrastructure. The only change for those millions of users is to use a RADIUS client program that has been installed on their computer. They log in with a passphrase and gain access to a subset of servers. In addition to some number of authentication servers, the existing servers have to add a top layer to check for authentication. Adjustments to access can be made on the fly without further involvement from the mass of users.
          The cost for this would be a drop in a very large bucket taking into account the DoD's total budget. Scaling up is not a big problem. Facebook authenticates more than 500 million. This could be implemented as a temporary solution while the red tape unwinds and the endless details are discussed.
          The DoD decided not to go this way which means someone or some committee decided it was enough, for the next year, to further restrict Sneakernet capability

           

          reply to this | link to this | view in chronology ]

          •  
            icon
            nasch (profile), Apr 12th, 2011 @ 3:26pm

            Re: Re: Re: Re:

            I would assume that if the DoD felt there was an urgency to this, red tape could have been bypassed to put, at least an initial solution, in place.

            I have no idea. It seems quite possible that the person or people who have to decide on this don't have the authority to bypass anything, and the people who have the authority to cut the red tape lack either the knowledge or the interest to get involved.

            The DoD decided not to go this way which means someone or some committee decided it was enough, for the next year, to further restrict Sneakernet capability

            Yeah, taking the easy way out. Gee, not like that's going to come to bite them, huh?

             

            reply to this | link to this | view in chronology ]

  •  
    icon
    aldestrawk (profile), Apr 12th, 2011 @ 2:41am

    The article from Firedoglake misleads by summarizing SIPRnet as being either secure or not secure. There are three, somewhat independent, aspects of security at work here; ability to bridge the air gap between SIPRnet and the rest of the universe, authentication and finer grained access, logging and auditing capability. Each one will make the system more secure.
    SneakerNet was and is still needed. They point out the malware incident in 2008 triggered by an infected thumb drive. Malware can be controlled by disabling autorun capability. I am not sure if that was addressed. The DOD apparently decided to restrict thumb drives but still allowed writeable CDs. After Wikileaks, they are restricting further, only allowing 12% of their computers Sneakernet capability and somehow(?) monitoring people and transactions on these. This is enough, in itself, to have prevented a Bradley Manning from leaking mass amounts of material. Someone else, a little more trusted, can still do a mass leak.
    What they are ultimately doing is making multiple classification levels for info and assigning everyone a capability to access some subset of those levels. They are doing this by creating a PKI and issuing cards with digital certificates. DoD, apparently, did not want to do passwords. I am a bit dumbfounded if they don't do two-factor authentication. The State Dept. has already moved their cables over to JWICS (the top secret network). I think that is overreacting. Maybe it's temporary. Certainly, the vast majority of those don't deserve top secret listing.
    The final part is to put in a logging and auditing capability to monitor data transactions. The threat of monitoring is supposed to deter leaking.
    They recognize there is a need to share information, particularly after 9/11. From the outside, it looks like they just let anyone with access to SIPRnet full access to all information stored on it. The full system won't be finished till 2013, but that doesn't mean that there is no more security than there was a year ago. The algorithms needed to implement such a system are well known. There are several different authentication systems in use elsewhere. The card system means it will take time to deploy.
    One of the NSA's responsibilities is developing computer and network security (e.g. SE Linux (Security Enhanced Linux) is derived from work done at the NSA). The DoD will be using an auditing system developed by the NSA. There is an interesting quote in the Lamo/Manning chat logs.

    i even asked the NSA guy if he could find any suspicious activity coming out of local networks… he shrugged and said… “its not a priority”

    Nobody expected a military insider would do a mass leak. That was naive.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This