The following is from http://www.salon.com/2015/09/26/how_to_explain_the_kgbs_amaz... and describes the way the Russians implemented SELECT * WHERE CIA FROM EMBASSY_EMPLOYEES: "differences in the way agency officers undercover as diplomats were treated from genuine foreign service officers (FSOs). The pay scale at entry was much higher for a CIA officer; after three to four years abroad a genuine FSO could return home, whereas an agency employee could not; real FSOs had to be recruited between the ages of 21 and 31, whereas this did not apply to an agency officer; only real FSOs had to attend the Institute of Foreign Service for three months before entering the service; naturalized Americans could not become FSOs for at least nine years but they could become agency employees; when agency officers returned home, they did not normally appear in State Department listings; should they appear they were classified as research and planning, research and intelligence, consular or chancery for security affairs; unlike FSOs, agency officers could change their place of work for no apparent reason; their published biographies contained obvious gaps; agency officers could be relocated within the country to which they were posted, FSOs were not; agency officers usually had more than one working foreign language; their cover was usually as a “political” or “consular” official (often vice-consul); internal embassy reorganizations usually left agency personnel untouched, whether their rank, their office space or their telephones; their offices were located in restricted zones within the embassy; they would appear on the streets during the working day using public telephone boxes; they would arrange meetings for the evening, out of town, usually around 7.30 p.m. or 8.00 p.m.; and whereas FSOs had to observe strict rules about attending dinner, agency officers could come and go as they pleased." I read the book. When a CIA agent's cover was blown, the CIA had a spare care and apartment and the agent's replacement needed just that, so they tended to reuse the car and apartment. And wondered why the replacement was then identified so quickly.
So. After that long digression, here comes a hypothesis: Organisations that can keep their mistakes secret, can make themselves seem much more capable than other, similarly large organisations.
HOST : 184.108.40.206 : TYCHO : PDP-11/70 : UNIX : TCP/TELNET,TCP/SMTP,TCP/FTP :
HOST : 220.127.116.11 : DOCKMASTER.NCSC.MIL,DOCKMASTER.DCA.MIL, DOCKMASTER.ARPA : HONEYWELL-DPS-8/70 : MULTICS : TCP/TELNET,TCP/FTP,TCP/SMTP,TCP/ECHO,TCP/DISCARD,ICMP :
HOST : 18.104.22.168 : COINS-GATEWAY,COINS : PLURIBUS : PLI ::
HOST : 22.214.171.124, 126.96.36.199 : MARYLAND,MIMSY,UMD-CSD,UMD8,UMCP-CS : VAX-11/780 : UNIX : TCP/TELNET,TCP/FTP,TCP/SMTP,UDP,TCP/ECHO,TCP/FINGER,ICMP :
Whenever the network went down (which was often), we had to call up a machine room at Fort Mead and ask them to please press the reset button on the box labeled "IMP 57". Sometimes the helpful person who answered the phone had no idea which box I meant, so I had describe to him which box to reset over the phone. ("Nope, that didn't work. Try the other one!" ;) They were even generous enough to issue us (CS department systems staff and undergrad students) our own MILNET TACACS card.
On mimsy, you could get a list of NSA employees by typing "grep contact /etc/passwd", because each of their courtesy accounts had "network contact" in the gecos field.
Before they rolled out TACACS cards, anyone could dial up an IMP and log in without a password, and connect to any host they wanted to, without even having to murder anyone like on TV:
Who would answer the Milnet NOC's 24-hour phone was hit or miss: Some were more helpful and knowledgeable than others, others were quite uptight.
Once I told the guy who answered, "Hi, this is the University of Maryland. Our connection to the NSA IMP seems to be down." He barked back: "You can't say that on the telephone! Are you calling on a blue phone?" (I can't remember the exact color, except that it wasn't red: that I would have remembered). I said, "You can't say NSA??! This is a green phone, but there's a black phone in the other room that I could call you back on, but then I couldn't see the hardware." And he said "No, I mean a voice secure line!" I replied, "You do know that this is a university, don't you? We only have black and green phones."
Date: Thu, 11 Sep 86 13:53:45 EDT
From: Steve D. Miller <firstname.lastname@example.org>
Subject: Talking to the Milnet NOC
This message is intended to be a brief tutorial/compendium of
information you probably want to know if you need to see about
getting the LH/DH thingy (and us) talking to the world.
First, you need the following numbers:
(1) Our IMP number (57),
(2) Mimsy's milnet host address (188.8.131.52),
(3) The circuit number for our link to the NSA
(4) The NOC number itself (692-5726).
Second, you need to know something about the hardware. There
are three pieces of hardware that make up our side of the link:
the LH/DH itself, the ECU, and the modem. The LH/DH and the
ECU are the things in the vax lab by brillig; the ECU is the
thing on top (with the switches), and the LH/DH is the thing
on the bottom. The normal state is to have the four red LEDs
on the ECU on and the Host Master Ready, HRY, Imp Master Ready,
and IRY lights on at the LH/DH. If these lights are not on,
something is wrong. If mimsy is down, then we'll only have some
of the lights on, but that should fix itself when mimsy comes up.
Some interesting buttons or switches on the ECU are:
reset - resets something or another
stop - stops something or another
start - restarts something or another
local loopback -- two switches and two leds; you may need
to throw one or the other of these if the NOC asks
you to. These loopback switches should be distinguished
from those on the modem itself.
remote loopback -- like local loopback, but does something else.
The modem is in the phone room beside the terminal room (rm.
4322, if memory serves). It can be opened with the chase key from
the key box...but if someone official and outside of staff asks
you that, you probably shouldn't admit to it. It has a switch on
it, too; it seems that switch normally rests in the middle, and
there's a "LL" setting to the left which I assume puts the modem in
local loopback mode.
Now that you have some idea of where things are, call the NOC.
Identify yourself as from the University of Maryland, and say that
we're not talking to the outside world. They will probably ask for
our Milnet address or the number of the IMP we're connected to,
and will then poke about and see what's happening. They will ask
you to do various things; ask if you're not sure what they mean,
but the background info above should help in puzzling it out.
Hopefully, this will make it easier to find people to fix
our net problems in the future; it's still hard to do 'cause
we have so little info (no hardware manual, for example),
but this should give us a fighting chance.
(Milo Medin knows this stuff first hand: https://innovation.defense.gov/Media/Biographies/Bio-Display... )
To: email@example.com (Erik E. Fair)
Cc: firstname.lastname@example.org, Hackers_Guild@ucbvax.berkeley.edu
Subject: Re: a question of definition
Date: Thu, 29 Jan 87 12:29:36 PST
From: Milo S. Medin (NASA ARC Code ED) <email@example.com>
SCINET -- Secret Compartmented Information Net (if you don't know what
compartmented means, you don't need to ask)
DODIIS -- DoD Intelligence Information Net
The other stuff I think is right, at least without me looking things
up. I probably shouldn't have brought this subject of the secure part
of the DDN up. People like being low key about such things...
Erik, all the BBN gateways on MILNET and ARPANET currently comprise
the core, not just mailbridges. Some are used as site gateways, others
as EGP neighbors, etc... And just because you are dual homed doesn't mean
you get a mailbridge. And the IETF doesn't deal with low level stuff
like that; DCA does all that. In fact, the reason we are getting an
ARPANET PSN is because when DCA came out to do a site survey, they
liked our site so much they asked if they could put one here! It's
amazing how many sites have tried to get ARPANET PSN's the right
way and have had to wait much longer than us... BTW, since we are
dual homed (probably a gateway with 2 1822 interfaces in it), we
are taking steps to be sure that people on ARPANET or MILNET can't
use our gateway to bypass the mailbridges. The code will be hacked
to drop all packets that aren't going to a locally reachable network.
BARRNet, even though its locally reachable, will be excluded
from this however, since the current procedural limitations call for
not allowing any BARRNet traffic to flow out of BARRNet to MILNET
and the reverse. NASA traffic of course can traffic through BARRNet,
and even use ARPANET that way (though that's not a big deal when
we get our own ARPANET PSN). That's because only NASA is authorized
to directly connect to MILNET, not UCB or Stanford, etc...
DCA must have the ability to partition the ARPANET and MILNET in
case of an "emergency", and having non-DCA controlled paths between
the nets prevents that. There was talk some time ago about putting
explosive bolts in the mailbridges that would be triggered by
destruct packets... That idea didn't get far though...
The DDN only includes MILNET,ARPANET,SCINET,etc... Not the attached
networks. If it did, you'd need to file a TSR to add a PC to your
local cable. A TSR is a monstrous piece of paperwork that needs to
be done anytime anything is changed on the DDN... Rick knows all
about them don't you Rick?
The whole network game is filled with acronyms! I gave up trying
to write documents with full explainations in terms long ago...
I have yet to see a short and concise (and correct) way of describing
DDN X.25 Standard Service for example... That's probably one of the
harder things about getting into networking these days. We won't
even talk about Etherbunnies and Martians and other Millspeak...
Milo '1822' Medin
Here's something interesting that Milo Medin wrote about dual homed sites like NSA and NASA, that were on both the ARPANET and MILNET:
To: firstname.lastname@example.org (Erik E. Fair)
Cc: Hackers_Guild@ucbvax.berkeley.edu, email@example.com
Subject: Re: a question of definition
Date: Thu, 29 Jan 87 15:33:35 PST
From: Milo S. Medin (NASA ARC Code ED) <firstname.lastname@example.org>
Right, the core has many gateways on it now, maybe 20-30. All the LSI's will
be stubbed off the core however, and only buttergates will be left after
the mailbridges and EGP peers are all converted. Actually, I think DARPA is
paying for it all...
Ames is *not* getting a mailbridge. You are right of course, that we could
use 2 gateways, not just 1 (actually, there will be a prime and backup anyways),
and then push routing info appropriately. But that's anything but simple.
Firstly, the hosts have to know which gateway to send a packet to a given
network, and thus have to pick between the 2. That's a bad idea.
It also means that I have to pass all EGP learned info around on the
local cable, and if I do that, then I can't have routing info from
the local cable pass out via EGP. At least not without violating
the current EGP spec. Think about it. It'd be really simple to
create a loop that way. Thus, in order to maximize the use of both
PSN's, you really need one gateway wired to both PSN's, and just
have it advertise a default route inside. Or use a reasonble IGP,
of which RIP (aka /etc/routed stuff) is not. I'm hoping to get
an RFC out of BBN at this IETF meeting which may go a long way in
reducing the use of RIP as an IGP.
BTW, NSA is an example of a site on both MILNET and ARPANET but without
There is no restriction that a network can only be on ARPANET or MILNET.
That goes against the Internet model of doing things. Our local
NASA gatewayed nets will be advertised on both sides. The restriction
on BARRNet is that the constituent elements of BARRNet do not all
have access to MILNET. NSF has an understanding with DARPA and
DCA that NSFnet'd sites can use ARPANET. That does not extend to
the MILNET. Thus, Davis can use UCB's or Stanford's, our even NASA's
ARPANET gateways, with the approval of the site of course, but
not MILNET, even though NASA has MILNET coverage. Thus we are required
to restrict BARRNet routing through our MILNET PSN. If we were willing
to sponsor UCB's MILNET access, for some requirement which NASA
had to implement, then we would turn that on. But BARRNet itself will
but cutoff to MILNET (and probably ARPANET too) at Ames, but not
cut off to other NASA centers or sites that NASA connects. There is
no technical reason that prevents this, in fact, we have to take
special measures to prevent it. But those are the rules. Anyways,
mailbridge performance should improve after the conversion, so
UCB should be in better shape. And you'll certainly be able to
talk to us via BARRNnet... I have noticed recently that MILNET<->
ARPANET performance has been particularly poor... Sigh.
The DCA folks feel that in case of an emergency they may be
forced to use an unsecure network to pass certain info around. The
DDN brochure mentions SIOP related data for example. Who knows,
if the balloon goes up, the launch order might pass through Evans
Hall on its way out to SAC... :-)
And also much slower to learn from their mistakes. The history of the CIA is pretty depressing, in this regard.
Your post makes a lot of sense for that above line in the article. Maybe Russia would rather keep tabs on them as known-people rather than murder them. China seemed to have taken it personally, which is ironic given their vast purported corporate espionage spy networks.
Those described in the above comment were US nationals in Russia operating under diplomatic cover, and are not subject to Russian law. They would be deported. Russian nationals working for the CIA would not be found by that search.
The agents in the story were Chinese/Iranian/etc. nationals working for the CIA. They had no diplomatic protection, which is why they were killed.
Do you mean that the people who were careless with one group would be careful with the other? That the people who issued one car model to the real cultural attachés and another model to the CIA agents would be very careful about the agents who risk their lives?
Moreover, to a Russia person, it would be totally unbelievable that such pipsqueak could get to the position of a "third secretary" of anything in his short, only 5 years long career.
Organizations gain only corruption through secrecy. Fix the reason for having to keep a secret, and you build a strong organization.
The CIA would send a 35-year-old spy out with a cover job that only accepted applicants up to the age of 28, and then send a polite letter to the Russians informing them of his arrival. Meanwhile there was a giant search for the mole at CIA HQ, because there had to be one, how else would the Russians unmask so many agents so quickly?
Although I personally don't find this type of humour funny
I can understand why beginners use it. However, if you are going to use it, please make an effort and get it right. In your attempt to showing off, you're just showing you don't know basic SQL.
The article says:
"But the rest of the agency had become too reliant on the system, which was originally intended to only be a temporary communications channel, and had left the relatively insecure site up far longer than intended and used it to send information that should have been reserved for more secure channels. "It was never meant to be used long term for people to talk to sources," the report quotes one official as saying."
So why did it last so long? What did it offer that the more official channels did not? What kept the agency from developing technology that might have allowed better protected communication channels that might have also been easy to use?
Protected communication is not a sideline for the CIA, it is the core competency. This is something the CIA is supposed to be good at.
"It's temporary unless it works" - Red Green.
I always fight temporary solutions because there is a perception that one does not need to be as rigorous with temporary solutions. Then there is no sense of urgency for a replacement because this one works, it becomes a "technical debt", a "nice to have", and never gets fixed. In some cases, lack of rigour is the one functionality everybody loves that cannot be removed (security vs convenience).
My understanding is that this channel was used for "un-vetted" sources, which I take to mean sources the CIA didn't yet fully trust with their main communications systems. I'm sure they're constantly approached by double-agents looking for information about how they communicate with their sources, so they need more "throwaway" systems for people who potentially could be double agents to use.
The original reporting is better than this Register summary: https://www.yahoo.com/news/cias-communications-suffered-cata.... I think Ars Technica had a better summary: https://arstechnica.com/tech-policy/2018/11/how-did-iran-fin....
Poor contingent hires couldn't even get basic auth, eh
I keep thinking about it when building out information system architectures, especially ones that interface with end users. Bad design is metastatic and unbelievably hard to get out of. Whatever the cost of reversing a bad design decision you have in mind, 10x it and you still might not be truly there.
It hadn't been broken, so why bother? Sure one of our employees is telling us that it's dangerously insecure, but if its so bad why hasn't it been compromised?
So in this case, no.
I assume Iran would be careful if they saw a variety of loyal and crucial players implicated.
So from the FWIW... what is it worth? It doesn't really seem like it's worth anything so why mention it?
It's the same as saying 'Lot's of people are saying X' where X is a crazy thing and then just going on about your way. You are basically stating the X and giving it credence but pretending not to with a 'FWIW.'
You replied to an earnest request for proof of your extraordinary, outrageous, and false claims with a derailing question instead of any proof.
So don't expect an answer to your question, because you don't deserve one. You've thoroughly disqualified yourself from participating in a legitimate discussion with adults.
And "I don't actually believe conspiracy theories myself, I just spread them" is an even worse excuse for your dangerous, intellectually dishonest misbehavior.
Just as a river follows the path of least resistance, so too will users follow the best UX software. Bad UX kills.
Security is a spectrum from convienent/useful to secure. They are mutually exclusive characteristics.
Perfect UX won't remove inconvience of having to preaarange deliver of one time pads, biometric twofactor auth, waiting out of band confirmation of your identity, etc.
All of those can have horrible UX on top of the inconvienence. But even with perfect UX they will never be frtionless as being able to use any device, on any network, using any app/OS, to post on a useless/passwordless site.
This breach would not have happened without that convienence.
UX could have made it easier to remember to robots file. So could process, or review or other security practices. But no UX is gonna solve fact that internet is insecure due to its convienence.
The internet can never be secure. At best you can get lower levels of insecurity.
All of which is outweighed by the fact that dealing with this kind of thing is the CIA's reason for existence as a separate intelligence agency, outside of the military (since Pearl Harbor). I am not at all convinced that we would be doing worse to fold intelligence back into the military as it was pre-WWII, because having a culture that understands this kind of problem is the CIA's whole purpose for being separate, and it doesn't seem to have worked.
Basically, an internal mole leaked the network, which the Chinese then exploited to roll up the agents. It's not like China just stumbled upon it, they were tipped off. While the nature of the platform didn't help, the roll up was caused by a double agent.
I guess this meeting had something to do with all of this.
No, doing this is:
> But the rest of the agency had become too reliant on the system, which was originally intended to only be a temporary communications channel, and had left the relatively insecure site up far longer than intended and used it to send information that should have been reserved for more secure channels.
If I were the CIA and I wanted a few of Iran's top nuclear scientists killed, I'd just make it seem like they were working for the CIA and let Iran's counterintelligence do the work for me.
I know that countries with less than stellar records of civil rights don't care too much about due process but the not a violent complete moron thing to do would be to ask questions before shooting - namely being sure that they actually are spies or traitors and investigate the claims. For one it could point out peripheral connections down the chain and you know make sure that you aren't getting 'spies lists' of anyone who is close to finding the actual spy.
Granted in that sector it seems that there isn't a scarcity of violent immoral morons even in the west given a love for torture among the CIA. Given the known effects pushing torture is really saying a few things: They want to be able to fool themselves by hearing exactly what they want to hear. They want their foes to fight to the death like a cornered rattlesnake - putting their last breaths in killing as many as possible in the face of insurmountable odds. Finally they want no mercy shown to them if captured.
There are no words for that except evil and stupid - their deaths will not be mourned no matter how horrific because they deserve it and the world will be better off with their passing. I guess that means that the CIA really may be that stupid which isn't a surprise given their real goal with Castro appears to have been to make him as assassination resistant as possible.
Some code never dies
strongbox.gov is needed to protect people with brains from being strong-armed by management without brains:
The saddest part: The "decider" probably got promoted as usual.
>A defense contractor for the CIA named John Reidy claims he warned the agency that it was using insecure communications systems in 2008, and again in 2010 when he started to suspect the channels had been cracked. A year later he was fired by the agency, a move he claims was retaliation for not shutting up.
>“It was a recipe for disaster,” Reidy said. “We had a catastrophic failure on our hands that would ensnare a great many of our sources.”
The person who could actually save the day and prevent the catastrophe gets ignored, marginalized, and/or fired. The people who were involved in the original disastrous decision keep moving up in the organization and usually keep their jobs after the catastrophe. So it's not like these organizations are lacking smart people: their institutional and bureaucratic incompetence just prevents those people from doing their job properly.
I mean, it's obviously serious business to the people taking risks and doing the work on the ground, I'm talking about it actually being useful to the nation.
Very far into positive territory, I'd imagine. Most day-to-day intelligence work probably doesn't have much effect, but every once in awhile they probably get a big win that's so massive that it justifies all the effort.
Like this, France in 1700 wasn't powerful because it's king and ministers were geniuses, it's military competent. It was powerful because it's agriculture could support 20 million peasants.
Well,... the saying is "Allen Dulles was much of a clown first, politician second, and serviceman the third."
Regarding US foreign intel service: when something the size and budget of CIA does recon, something useful will come out of it regardless of how lame is their tradecraft.
This is true throughout the world. America has average spies and Russia has average people trying to catch them.
My comment was that no matter the job, most people are average at the work they do, not exceptional. Not anything about difficulty in getting those jobs.
Whoops, guess you're not as good as a fish.
ELI5 not needed...