It's worth noting that this (reduction in the efficiency of internal communications) is exactly what Assange wanted:
The more secretive or unjust an organization is, the more leaks induce fear and paranoia in its leadership and planning coterie. This must result in minimization of efficient internal communications mechanisms (an increase in cognitive “secrecy tax”) and consequent system-wide cognitive decline resulting in decreased ability to hold onto power as the environment demands adaption.
That article is enlightening - it changed my take on Assange from "guy who is really good at disseminating classified information" to "guy who is really good at executing a well articulated plan to reduce secrecy in government".
These few lines sum it up nicely:
Because we all basically know that the US state — like all states — is basically doing a lot of basically shady things basically all the time, simply revealing the specific ways they are doing these shady things will not be, in and of itself, a necessarily good thing. In some cases, it may be a bad thing, and in many cases, the provisional good it may do will be limited in scope. The question for an ethical human being — and Assange always emphasizes his ethics — has to be the question of what exposing secrets will actually accomplish, what good it will do, what better state of affairs it will bring about.
That would be a great argument, if eliminating removable thumbdrives and media would in any way impede internal communications. No business communication is done on removable media in these places.
That would never be a good idea for a host of reasons (remember the lost laptop with personal info on it? other than leaking there are lots of reasons this is a bad idea)
This ban prevents the people who work in the government offices from bringing in music CDs and pictures on a thumb drive. Recall Pfc Manning was pretending to play Lady Gaga on a CD when he was burning all this stuff onto disk. That's it. There is no other reason to use removable stuff at work except to leak or bring in files like that.
I'm actually shocked this specific ban took so long. The contractor I work for banned CDs (burned or not) after the Sony rootkit incident, flash or floppy drives have been banned forever.
This assumes that every piece of information being passed back and forth is used to further a conspiracy. Much of it is mundane, albeit necessary.
Sure, it's what he wanted, but that's part of the problem here. The government, like they always do, overreacts to fix the problem, and now even basic security measures could be hampered.
That's not what it assumes at all. Actually, that's pretty much the opposite of what Assange explicitly states, that revealing mundane details has the positive effect of demonstrating how overused secrecy is as a tool of governance.
> But the U.S. military is telling its troops to stop using CDs, DVDs, thumb drives and every other form of removable media — or risk a court martial.
I'm pretty sure anyone stealing the data is already risking a court martial.
If the secret files are really so wide open that they're just counting on people not being able to take them, then there's some much larger problems that they better start addressing.
Also, I have a really hard time believing this one Private in the army could download hundreds of thousands of State department secret communications, then smuggle them out on CDs. Something is very broken if that's true. Either Manning is just a scapegoat, or there's massive security problems with secret information, or both.
> If the secret files are really so wide open that they're just counting on people not being able to take them, then there's some much larger problems that they better start addressing.
It's a hard problem. Before 9/11, "the secret files" were locked down tightly, and every branch of the federal government that kept such files kept almost all of them separately; they were subsequently inaccessible to every other branch. The intelligence and law enforcement agencies came under harsh criticism following 9/11 — since information sharing was so limited, it was very difficult to correlate data and properly address targets and threats. The response was to pool a LOT more data than was previously available in one place on SIPRNet, which is accessible to intelligence agents, the State Department, the various military branches, federal and state law enforcement, and even some non-US allies. The truth is that the only files leaked to Wikileaks were not considered to be particularly important, had the lowest level of classification, and were accessible to (and could be easily shared by) over 3 million people.
The response will unfortunately be to lock down information sharing yet again, increasing the likelihood of intelligence and response failures in the future. Most of the federal government and idiot, grandstanding congressmen made the cable leaks into a much bigger event than it would have otherwise been had they not overreacted and simply "kept calm and carried on", and the US will face the self-inflicted consequences.
Secretary Gates had it right when he noted early on that, "I’ve heard the impact of these releases on our foreign policy described as a meltdown, as a game-changer, and so on. I think those descriptions are fairly significantly overwrought."
I'm pretty sure anyone stealing the data is already risking a court martial.
Anyone stealing the data, yes. I read the article as saying that people using remobvable media for purposes consistent with their jobs will now be subject to court martial.
Example: A machine is normally connected to the network. It is moved to another location and is not connected to the network yet. Someone using a thumb drive to copy a file from a machine on the network to the unconnected machine is breaking the new directive even if the thumb drive never leaves the office or is erased immediately thereafter.
Just an opinion of a paraphrasing of a leaked memo describing a directive...
After various UK government departments lost just about every USB key some new rules were introduced about how they had to be encrypted.
Naturally this was hidden in a procedures manual several 1000 pages long.
But because the procedure dealt with encryption of classified data - the procedures manual saying how it had to be protected was of course secret! And couldn't be issued to the workers.
Based on my experience in these kind of places, the IT procedures are a bit more robust than your average company and your scenario wouldn't really happen.
And not being connected to the network would be the only reason you need removable media. If your computer is not connected to the network, it isn't very useful. Barely anything is stored locally, the risk of someone walking off with the harddrive is too high.
When I worked on Wall Street all of our Desktops literally had the USB ports ripped out. I'm really surprised the military doesn't do something like this...
Extensive proxying? MITM? There's no reason they wouldn't put their own root certificate onto the machines. For most work on Wall Street one probably doesn't even need to be connected to the internet.
AFAIK if someone else controls the machine you are on (or can get certs installed by one way or another) which can be combined with a MITM proxy to get access to the unencrypted content.
However, a lot people use machines they don't control where this kind of approach is perfectly feasible.
I think it's pretty damning to the military that they have such huge issues with their secret data. Relatively pedestrian measures required by standards like PCI-DSS could increase the security of these systems many-fold.
I think this is understating the difficulties, and the underlying issues, the military faces. The problem comes from inherent tensions between two goals: secrecy on the one hand, efficient data dissemination on the other. You can have one or the other, but not both at the same time. So the state of the arts moves back and forth between the two.
Quite a few members of HN work at companies where the only way to get access to source code, and other secure files, are through thin clients. Sometimes virtualized. At least one of those companies _really_ doubled down on security Last December/January of this year as a result of a serious intrusion.
This article fails to draw enough attention to a key item -- these are enhanced restrictions only for the classified systems. The headline reads like a ham-handed overreaction that's going to make it impossible for people to type up their quarterly reviews and leave requests.
I didn't deal with anything classified, but my understanding five years ago was that:
1. Any device that's gets plugged in to a secure system needs to have the red "this contains classified info" sticker on it.
2. Once a device becomes classified, it can never be plugged in to an unclassified system.
It sounds like the actual story is "military reviews, reiterates security policy in the wake of wikileaks scandal."
Bravo to Wired for correctly pluralizing court-martial. In hyphenated terms you add -s to the dominant or defining noun, e.g. gins-and-tonic, Egg McMuffins.
When I was overseas, we had a difficult time trying to transfer secret data between DoS and DoD terminals...I can imagine this is going to make it much more difficult.
Flash drives have always been disallowed because of malware and virus issues, but CD's and DVD's were what we used to move data between non connected systems. This could be a real pain in the ass.
I'd think that all of these problems could be solved by simply logging disks that are removed from secure facilities.
They should combine a flash drive with an RFID tag, the pc would need to make sure the RFID is present to use the flash drive, and if anyone tried to walk out with them they would set off an RFID detector.
Ok so who wants to charge the gov't $65 million+ for that? Throw encryption on it and charge $150 million.
If they needed to use a sneakernet because of a low bandwidth link, it seems like they could eventually migrate to a system with the ability to transfer encrypted copies to removable media. Any other trusted computer on the network could download a key to decode the data, while making the keys unavailable to the end user (at least to the greatest degree possible).
Classified computers are almost always disconnected from the internet. In fact I haven't seen a computer with the combination of internet connection and approval to access classified documents.
So yes, they are low bandwidth. But all of the classified computers are networked together. Recall Pfc Manning pulled the files from a database that he leaked.
The bandwidth between the classified network and the nonclassified network is almost always zero or extremely limited (or might have to go through a person who literally weeds through the files one at a time and could accurately be described as "low bandwidth").
So any time you are circumventing that protection using removable media you are breaking the protocol. Just look at Stuxnet for the reason why other that Wikileaks.
Well, this is the real way to shut down Wikileaks. Don't leak. Wikileaks is poorly named - they are neither a wiki nor do they leak. Wikileaks is to governments as The Sun is to the British Royal Family. If you are doing something unsavoury, you'd better make sure they don't find out.
The military could issue USB storage devices and identity tokens that keep their information internally encrypted and which only work on sirpnet-trusted computers.
Scenario:
Anything copied to the USB device is internally encrypted, offline, with one of the military's public keys. This process requires no network-side authentication, but would require the soldier's "identity key" to also be plugged in and "sign" the contents.
Putting the storage device in a non-trusted computer means the contents are not retrievable.
To decrypt the contents of the device, you have to first authenticate to sirpnet from a trusted computer. It's then and only then that the computer is allowed to unlock the information on the removable drive.
This method is not safe to hardware reverse-engineering, but should be safe enough for operational use.
I've seen that. The first time you see it you're like "what the hell is on the computer". Looks a bit like a mix of hot glue and earwax (at least what I saw).
I notice that did not stop plenty of information about this order to end up in the media within an extremely short time.
Presumably wired citing 'sources' means that some people are still willing to talk to the media about the information they received. Of course, 'hard' proof (actual copies) of stuff tends to be much more damning but you'll never be able to lock up that information carrier called the brain and it will hold plenty of bits of information.
What bugs me is that no government seems to have clued in to the most obvious and totally secure method of cleaning up their act and making sure that nothing worth leaking is done.
Of course they could just tag all authorised USB drives with RFID chips with unique ID codes matching the owners they are assigned to and their clearance levels, and equip their machines and the installations with RFID scanners designed to both detect the RFID and also to verify that the chip matches the drive being used.
If the USB doesn't have the RFID, or it doesn't match the carrier or it has the wrong clearance code or the drive doesn't match the RFID ...alarms, guns, trouble.
On blog talk radio, I heard James Fallows talk about how the State Department is furious at the military for their shoddy security here. According to his sources, State Department systems have much more of the basic protections in place.
Camera's are banned obviously, including on cell phones.
Though if your point is that someone can always leak, that surely is true. There are thousands and thousands of people with the classified information stored in their brains walking around in public all the time, and they choose not to talk about it. Really nothing at all stops them from just blabbering on about it at the bar after work. People are the ultimate security hole.
All this is does is prevent mass dumps like Pfc Manning did (alright, is accused of doing). He didn't read all of those papers he leaked, he just dumped them on a flash drive and walked out.
The more secretive or unjust an organization is, the more leaks induce fear and paranoia in its leadership and planning coterie. This must result in minimization of efficient internal communications mechanisms (an increase in cognitive “secrecy tax”) and consequent system-wide cognitive decline resulting in decreased ability to hold onto power as the environment demands adaption.
http://zunguzungu.wordpress.com/2010/11/29/julian-assange-an...