

Military Bans Disks, Threatens Courts-Martial to Stop New Leaks - Mithrandir
http://www.wired.com/dangerroom/2010/12/military-bans-disks-threatens-courts-martials-to-stop-new-leaks

======
nl
It's worth noting that this (reduction in the efficiency of internal
communications) is _exactly_ what Assange wanted:

 _The more secretive or unjust an organization is, the more leaks induce fear
and paranoia in its leadership and planning coterie. This must result in
minimization of efficient internal communications mechanisms (an increase in
cognitive “secrecy tax”) and consequent system-wide cognitive decline
resulting in decreased ability to hold onto power as the environment demands
adaption._

[http://zunguzungu.wordpress.com/2010/11/29/julian-assange-
an...](http://zunguzungu.wordpress.com/2010/11/29/julian-assange-and-the-
computer-conspiracy-%E2%80%9Cto-destroy-this-invisible-government%E2%80%9D/)

~~~
ccollins
That article is enlightening - it changed my take on Assange from "guy who is
really good at disseminating classified information" to "guy who is really
good at executing a well articulated plan to reduce secrecy in government".

These few lines sum it up nicely:

 _Because we all basically know that the US state — like all states — is
basically doing a lot of basically shady things basically all the time, simply
revealing the specific ways they are doing these shady things will not be, in
and of itself, a necessarily good thing. In some cases, it may be a bad thing,
and in many cases, the provisional good it may do will be limited in scope.
The question for an ethical human being — and Assange always emphasizes his
ethics — has to be the question of what exposing secrets will actually
accomplish, what good it will do, what better state of affairs it will bring
about._

~~~
nl
Yes, I found it very enlightening, and I developed a lot more respect for
Assange's after reading it - even if I don't agree with him all the time.

He really isn't just randomly dumping documents - there is a very deliberate
methodology to it.

There was a good discussion on that article on HN a few days ago.

------
maqr
> But the U.S. military is telling its troops to stop using CDs, DVDs, thumb
> drives and every other form of removable media — or risk a court martial.

I'm pretty sure anyone stealing the data is already risking a court martial.

If the secret files are really so wide open that they're just counting on
people not being able to take them, then there's some much larger problems
that they better start addressing.

Also, I have a really hard time believing this one Private in the army could
download hundreds of thousands of State department secret communications, then
smuggle them out on CDs. Something is _very_ broken if that's true. Either
Manning is just a scapegoat, or there's massive security problems with secret
information, or both.

~~~
raganwald
_I'm pretty sure anyone stealing the data is already risking a court martial._

Anyone _stealing_ the data, yes. I read the article as saying that people
using remobvable media for purposes consistent with their jobs will now be
subject to court martial.

Example: A machine is normally connected to the network. It is moved to
another location and is not connected to the network yet. Someone using a
thumb drive to copy a file from a machine on the network to the unconnected
machine is breaking the new directive even if the thumb drive never leaves the
office or is erased immediately thereafter.

Just an opinion of a paraphrasing of a leaked memo describing a directive...

~~~
oiuytgyuio
After various UK government departments lost just about every USB key some new
rules were introduced about how they had to be encrypted.

Naturally this was hidden in a procedures manual several 1000 pages long.

But because the procedure dealt with encryption of classified data - the
procedures manual saying how it had to be protected was of course secret! And
couldn't be issued to the workers.

------
ghshephard
Quite a few members of HN work at companies where the only way to get access
to source code, and other secure files, are through thin clients. Sometimes
virtualized. At least one of those companies _really_ doubled down on security
Last December/January of this year as a result of a serious intrusion.

------
kevinpet
This article fails to draw enough attention to a key item -- these are
enhanced restrictions only for the classified systems. The headline reads like
a ham-handed overreaction that's going to make it impossible for people to
type up their quarterly reviews and leave requests.

I didn't deal with anything classified, but my understanding five years ago
was that:

1\. Any device that's gets plugged in to a secure system needs to have the red
"this contains classified info" sticker on it. 2\. Once a device becomes
classified, it can never be plugged in to an unclassified system.

It sounds like the actual story is "military reviews, reiterates security
policy in the wake of wikileaks scandal."

------
pyre
This just reminds me of SnowCrash. Y.T.'s mom routinely going through lie
detectors and what-not just due to being a government employee:

[http://books.google.com/books?id=RMd3GpIFxcUC&pg=PA290&#...</a>

------
epo
Bravo to Wired for correctly pluralizing court-martial. In hyphenated terms
you add -s to the dominant or defining noun, e.g. gins-and-tonic, Egg
McMuffins.

Ahem, back to politics ...

------
nhangen
When I was overseas, we had a difficult time trying to transfer secret data
between DoS and DoD terminals...I can imagine this is going to make it much
more difficult.

Flash drives have always been disallowed because of malware and virus issues,
but CD's and DVD's were what we used to move data between non connected
systems. This could be a real pain in the ass.

I'd think that all of these problems could be solved by simply logging disks
that are removed from secure facilities.

~~~
krschultz
They should combine a flash drive with an RFID tag, the pc would need to make
sure the RFID is present to use the flash drive, and if anyone tried to walk
out with them they would set off an RFID detector.

Ok so who wants to charge the gov't $65 million+ for that? Throw encryption on
it and charge $150 million.

------
rbranson
If they needed to use a sneakernet because of a low bandwidth link, it seems
like they could eventually migrate to a system with the ability to transfer
encrypted copies to removable media. Any other trusted computer on the network
could download a key to decode the data, while making the keys unavailable to
the end user (at least to the greatest degree possible).

~~~
eli
It's not low bandwidth link; it's intentional design. Secure computers are not
able to connect to the outside world.

~~~
rbranson
From the article:

"...classified computers are often disconnected from the network, or are in
_low-bandwidth areas_."

~~~
krschultz
I think Wired is confused.

Classified computers are almost always disconnected from the _internet_. In
fact I haven't seen a computer with the combination of internet connection and
approval to access classified documents.

So yes, they are low bandwidth. But all of the classified computers are
networked together. Recall Pfc Manning pulled the files from a database that
he leaked.

The bandwidth between the classified network and the nonclassified network is
almost always zero or extremely limited (or might have to go through a person
who literally weeds through the files one at a time and could accurately be
described as "low bandwidth").

So any time you are circumventing that protection using removable media you
_are_ breaking the protocol. Just look at Stuxnet for the reason why _other_
that Wikileaks.

------
iwr
The military could issue USB storage devices and identity tokens that keep
their information internally encrypted and which only work on sirpnet-trusted
computers.

Scenario: Anything copied to the USB device is internally encrypted, offline,
with one of the military's public keys. This process requires no network-side
authentication, but would require the soldier's "identity key" to also be
plugged in and "sign" the contents.

Putting the storage device in a non-trusted computer means the contents are
not retrievable.

To decrypt the contents of the device, you have to first authenticate to
sirpnet from a trusted computer. It's then and only then that the computer is
allowed to unlock the information on the removable drive.

This method is not safe to hardware reverse-engineering, but should be safe
enough for operational use.

~~~
mahmud
Pitch it to them and assemble a team.

------
cromulent
Well, this is the real way to shut down Wikileaks. Don't leak. Wikileaks is
poorly named - they are neither a wiki nor do they leak. Wikileaks is to
governments as _The Sun_ is to the British Royal Family. If you are doing
something unsavoury, you'd better make sure they don't find out.

~~~
pyre
I'm thinking that Wikileaks is stating that it's the 'Wikipedia for leaks,'
but IIRC they _were_ originally running on a mediawiki platform.

~~~
nitrogen
Is there an archive of the old wiki? There were some documents on there I
might like to revisit.

------
kondro
It's actually a good plan. I'm surprised most secret systems aren't just
accessible via thin client without any bulk transfer capabilities.

~~~
eli
I know that some government contractors fill the USB ports with epoxy.

~~~
gte910h
I've seen that. The first time you see it you're like "what the hell is on the
computer". Looks a bit like a mix of hot glue and earwax (at least what I
saw).

------
jacquesm
I notice that did not stop plenty of information about this order to end up in
the media within an extremely short time.

Presumably wired citing 'sources' means that some people are still willing to
talk to the media about the information they received. Of course, 'hard' proof
(actual copies) of stuff tends to be much more damning but you'll never be
able to lock up that information carrier called the brain and it will hold
plenty of bits of information.

What bugs me is that no government seems to have clued in to the most obvious
and totally secure method of cleaning up their act and making sure that
nothing worth leaking is done.

------
CallMeV
Of course they could just tag all authorised USB drives with RFID chips with
unique ID codes matching the owners they are assigned to and their clearance
levels, and equip their machines and the installations with RFID scanners
designed to both detect the RFID and also to verify that the chip matches the
drive being used.

If the USB doesn't have the RFID, or it doesn't match the carrier or it has
the wrong clearance code or the drive doesn't match the RFID ...alarms, guns,
trouble.

------
CallMeV
They need to just use their eyes and ears, the old fashioned way. Eternal
vigilance is the price for crushing freedom, erm, something.

Better yet, if they want to prevent leaks, just stop doing objectionable
things. Especially to their citizens.

------
jdp23
On blog talk radio, I heard James Fallows talk about how the State Department
is furious at the military for their shoddy security here. According to his
sources, State Department systems have much more of the basic protections in
place.

------
zzo38
Maybe now someone will use camera to picture from the screen, or retype
everything, or tell someone by telephone, or something else.

~~~
krschultz
Camera's are banned obviously, including on cell phones.

Though if your point is that someone can always leak, that surely is true.
There are thousands and thousands of people with the classified information
stored in their brains walking around in public all the time, and they choose
not to talk about it. Really nothing at all stops them from just blabbering on
about it at the bar after work. People are the ultimate security hole.

All this is does is prevent mass dumps like Pfc Manning did (alright, is
accused of doing). He didn't read all of those papers he leaked, he just
dumped them on a flash drive and walked out.

------
poet
This was standard practice at a defense contractor I interned at. I'm honestly
surprised this wasn't already the military's policy.

