Hacker News new | past | comments | ask | show | jobs | submit login
US Soldiers Expose Nuclear Weapons Secrets via Flashcard Apps (bellingcat.com)
309 points by cyberlurker on May 28, 2021 | hide | past | favorite | 95 comments



> It is not entirely clear why or how this information became publicly searchable. Quizlet’s website states that all flashcards are set to public visibility by default — users can then change privacy if they choose.

Just a sign of how deeply flawed the base of our thinking about information is these days. Everything is public by default, in part because of the warped Google/Facebook worldview has been drilled into us by the likes of Schmidt and Zuckerberg.


Venmo is still the worst example of this I've seen. Putting every financial transaction you make out into a newsfeed, by default.


Although I've never really used it, I always conceptually preferred the Twitter everything-is-public model over the Facebook faux-privacy model. For two reasons:

1. It's more honest. With Facebook, you are given the illusion of sharing information only with your friends, but it's actually ...with your friends, and Facebook, and anyone Facebook chooses to share it with. Cambridge Analytica being the highest profile example. When you tweet, the expectation is that whatever you said is now On The Internet, a matter of permanent record.

2. It opposes the network effect. Twitter doesn't force me to create an account in order to view a tweet. Or, from the other perspective, if I post on Twitter, I'm not requiring anyone who wants to read my stuff to sign up as well. It's closer to a microblogging platform.


The only use-case I've found for which the public newsfeed feature is, in fact, a feature, is gambling pools where not everyone necessarily knows everyone else well enough to have contact info. Keeps the ledger viewable by everyone, keeps everyone honest (they just have to be careful not to mention that it's for gambling, in the memo).

Seeing it used that way was a real "a ha!" moment. I'd love to know what Venmo's activity looks like around the time that people are putting together or paying out office sports brackets and such.


Which is why I always make a junk message of the payment description. "artisinal rat sausage", "home run Derby entry fee", "sausage gravy slurpee", etc


It's all fun and games, until you're trying to get a mortgage - then you discover the analysts in your bank don't find such messages amusing.


I don't think anyone is looking over $35 venmo payments and denying your mortgage application because you sent someone a payment for "vegan beard & motor oil"


That depends on their mood, really. It's why one of the commonly given advice for people planning a mortgage is to stop with stupid transfer titles. Also, the bank has plenty of options to make you miserable, other than outright denying you a loan. They can make it take longer, or give you worse options than you'd get otherwise.


yet


Holy shit. I've never used Venmo, but thanks for the warning.


In your first transaction, you just set it to private so only you and the recipient (and Venmo and whatever gov't agency) can only see the memo line. The amount is always private. The setting sticks after that so you don't ever need to change it again.


why would anybody want that to be public?


No fucking clue. Some people like to leave jokey memo lines but I'm glad none of my friends have done something like that outside of the "friends only" option. I just say what it's for or give it a generic name like "money" or "here you go".


It doesn’t seem to be the default anymore on iPhone. Mine was set to private and doesn’t show on the feed. I got Venmo about a year ago.


Everytime I login, I'm in aww that people do not care about these transactions being public. I see people admitting to drug deals, potential cheating, etc. on a regular basis.


Shouldn't we just assume that anything we upload to the cloud could be made public? Either through a hack, an employee, a misconfiguration, etc. If something is sensitive enough that you don't want it public it probably shouldn't be in the cloud, period. Regardless of what the default visibility is.

e: On second thought there probably are exceptions - I'm not worried that something backed up to Backblaze will be leaked, for example. But a random flash card app? I'd assume that info is public. Maybe I'm just paranoid.


I am no security professional, but from what I have read, probably.

This is why it's important for things like password managers, personal documents, etc. to be encrypted client side if backed up or hosted somewhere on another machine that isn't yours.

A good line that I've seen people use on this forum: "the cloud is just somebody else's computer".


I'd still encrypt my B2 upload though, just to be safe. Just because it's a trustworthy service doesn't make it immune to hacks


It would still be a massive breach of protocols to upload it to a limited visibility public website


[Dr Jeffrey Lewis] added that “secrecy about US nuclear weapons deployments in Europe does not exist to protect the weapons from terrorists, but only to protect politicians and military leaders from having to answer tough questions about whether NATO’s nuclear-sharing arrangements still make sense today. This is yet one more warning that these weapons are not secure.”

*[Hans Kristenssen, director of the Nuclear Information Project at the Federation of American Scientists] added: “There are so many fingerprints that give away where the nuclear weapons are that it serves no military or safety purpose to try to keep it secret. Safety is accomplished by effective security, not secrecy. Granted, there may be specific operational and security details that need to be kept secret, but the presence of nuclear weapons does not. The real purpose of secrecy is to avoid a contentious public debate in countries where nuclear weapons are not popular.”


>Safety is accomplished by effective security, not secrecy.

This seems to depend on your threat model. Two threat models were explicitly mentioned here - terrorists, and contentious public debate.

But it seems a third threat model, and the most important one given that nukes are anti-nation-state weapons, is to prevent nation state adversaries from knowing with certainty the location of those nukes. In which case, secrecy is still a necessary component of nuclear safety, or more specifically, deterrent effectiveness.


But they already know, per the quote above.

>"There are so many fingerprints that give away where the nuclear weapons are that it serves no military or safety purpose to try to keep it secret."


I'd imagine it's more of a defense in depth approach. Why do your adversary's work for them? Unsophisticated adversaries (ie. random anti-nuclear agitators) might be dissuaded entirely due to the lack of information, and even sophisticated adversaries would have to take time and effort to verify those fingerprints and make sure they have the right spot. Unless there's a compelling reason to make the information public, I don't see why they would.


>I'd imagine it's more of a defense in depth approach.

Yes exactly. One necessary, but not sufficient, layer of a multi-layer defense-in-depth security strategy.


FAS has a biased agenda. I wouldn't weigh their opinion very heavily. Poorly kept secrets are a problem but not when they are well guarded.


The current location of nuclear armed submarines seem to be one of those secretive cases.


And let's hope it stays that way, because it's the one thing that's keeping the world from going up in flames.

If I were the supreme commander of a nuclear power, I wouldn't even want to know where the enemy subs are. I'd make sure the military isn't trying too hard to find them. That's because A in MAD stands for "assured". Nuke-carriyng submarines are often billed as first-strike weapons, but arguably their main role is being a backup - an assurance that, no matter how effective your first strike is, you are going to be glassed in retaliation. So, your submarines check the enemy, enemy submarines check you, and the standoff continues.

If you can credibly threaten to detect enemy nuclear-armed submarines, then the enemy has a strong incentive to launch a first strike immediately, before you've completely neutered their subs.


The flash cards are much worse, but it reminds me of the Strava data leak from military staff: https://www.bbc.com/news/technology-42853072


Fun story - this data leak actually launched me into the middle of a reddit Antarctica conspiracy theory - https://impossiblehq.com/the-antarctica-conspiracy-theory/

Unfortunately, it was just a really long run :)


Where'd you give up//feel disproven?


Joel "started"/was part of the conspiracy theory by running a marathon in Antarctica; he wasn't a conspiracy theorist himself.


> Joel run yon

Nominative determinism


People love this joke (turns out: I actually hate running)


Ah, got it. That's actually hilarious.

Joel, btw, dead/typo'd link top of this list: https://joelrunyon.com/impossible/

Have a good day, everyone!


Got it - will fix!


I have long noticed that Quizlet is a repository for a lot of information that shouldn't be online... from test answers to proprietary line-of-business stuff (ex. retail training materials) to security related stuff (security trainings, emergency response codes). But I would have thought the military would be smart enough not to use it (at all--private or public, it is not in any way designed to handle classified or FOUO data).

For example, this one appears to list a number of installations that hold various critical networking infrastructure as well as the names of various admins. https://quizlet.com/414907821/eiws-study-guide-here-it-is-bo...


I doubt these were official DoD flashcard decks. They were probably created individually by different soldiers/airmen to help them study for some test they had to take.


Yeah, I understand that. But I mean as members of the military who are trained and indoctrinated into OPSEC and information handling practices, I would expect them to have made a better decision.


Hey, at least we didn't find the flashcards for their OPSEC test!


Shit, I was thinking along the same line: for any question regarding the OPSec of those people, please search the relevant flash cards.


One of the flash cards is "Define opsec". I wish I could add an annotation "not uploading your flashcards to a publicly accessible site".


Sites like Quizlet get used routinely to cheat on mandatory military training. Copying/pasting the exact text of a test question into a Google search usually turns up quite a few hits of the answers.

I'm only familiar with this being used for really mundane training, so OPSEC and FOUO[1] info being posted is surprising.

[1]: For Official Use Only, which was recently changed to CUI (Controlled Unclassified Information).


It seems like a lot of them contain largely public info from unclassified manuals, but also have a few base-specific things thrown in that cause the problem.

For example [1] is basically a standard police academy study guide, but it also has the names of which armored car services are allowed entry to post, which parking lots are used for storage of nuclear materials during Safe Haven event, [2] has real world and exercise countersigns mixed in with non-sensitive form names and acronyms. Another one had a list of duress words (all named after spices), though it says these are changed every six months. A lot of stuff you could guess easily but still identifies weaknesses (ex. school buses can get on base with a district badge, which is nowhere near as hard to copy as a CAC). [3] has the location of a SCIF. Some other ones had room numbers of buildings containing information networking infrastructure (no public map, but googling the building number returned a picture of the facility from the architect's site).

I'm not military, so I'm curious how big of a deal this is relatively? Like is this stuff that a credible attacker could easily find out anyway or is it actually a major weakness?

[1]: https://quizlet.com/411678831/qc-questions-flash-cards/ [2]: https://quizlet.com/347943371/bdoc-flash-cards/ [3]: https://quizlet.com/478059813/iec-qc-flash-cards/


Still a lot of these in Google cache... Passwords etc. can be changed, but the protocols and the information about readiness.. oh boy... absolutely classified. Somewhere in Europe there's a number of junior officers having a very bad day.


"Your rockstar name is your bunker entry codeword + authentication key + base commander's name, send to all your friends!"


Gold-dust 23-kappa-99 Colonel Thompson. Seems a bit long... not sure I like it.


What makes this more egregious is that the Air Force seems to have internal educational apps which can handle sensitive information: https://www.reddit.com/r/AirForce/comments/nmyu7n/us_soldier...


Your link says that the AF does not have an app for this but could because they have a similar one for "aircrew MQF study."

Sounds like a post promoting the idea of having a more general purpose but secure app using the stuff they already built within the AF, rather than saying it is already widely available.


They seem to know that.

I didn't, though. Thanks!


Systems like AKO (Army Knowledge Online) are notoriously terrible.

US compliance systems often favour rote learning over knowledge, hence memorising vast numbers of irrelevant details as a false proxy for competency.


But they're probably terrible. Kind of like how at many places they'll tell you "don't use 1password, use cyberark" - leaving out the fact that what takes 0.25 seconds to do in 1password takes over a minute in cyberark.


This is crazy. How are intelligence agencies, with the amount of money and free reign they have, not monitoring the whole Internet for this kind of stuff?


Because even within intelligence agencies, knowledge is strictly controlled.

To monitor actively, you have to ask for related content. Asking about related content in a context where you have something to keep secret is an implicit acknowledgement there is something there.

It's a trick I've seen used in intelligence gathering contexts quite often. You get close to a researcher and technical expert on classified matters, then ask questions and gauge responses.

Sometimes you don't need an answer, you just need to know you're asking the right questions.

Knowledge of this practice and regular experience doing it will not make you many friends in either the intel or counter-intel dept.

t. Apparently a professional insider threat given all the DoD documentation that describes how I fix places by actually communicating with people and ensuring effective information dissemination through an organization.

Makes interviews awkward. All the periodicals in the waiting room basically explain what I do better than I can.


Many family members have been pressuring me to steer my IT/InfoSec career towards obtaining a security clearance because it is a big salary and job security booster. While I know many US Gov employees have these and do not have to work day-to-day in/on controlled security stuff, they must have had to do it for one point during their career, and I fear that I could not last through such an ordeal. The concept of not being able to collaborate with coworkers due to arbitrary security rules sounds like a disaster.


Aside from the whole grossness of working for the military-industrial complex, there is another issue for those of us who care about rigor: the whole system of clearances in the US relies heavily on the inaccurate and pseudoscientific polygraph test, which does not test or prove any measurable thing.

The interpretations of this pseudoscience can have devastating effects on your career, and not being based on facts or anything truly measurable, you have effectively zero recourse against such destruction, whether willful or otherwise, because it's elevated to the status of "evidence", simply because "the machine said it!"

https://antipolygraph.org/pubs.shtml

What's worse is that the failings of this pseudoscientific nonsense are well known to the USG, and yet this continues for decades to be central to the system of ostensible "trust" in those who keep government secrets. It's abusive. (Imagine if your government health insurance only covered crystal healers.)


If you are already a civil servant without a clearance, getting a clearance decreases job security. It effectively nullifies your civil service protections, and allows you to be fired at will on a security pretext, with absolutely zero recourse. I worked at a navy lab for 21 years and saw this happen to colleagues who displeased their bosses.


It would be easy to crawl for this stuff imo. The technical language used for this stuff is finite and limited. Just grep the internet for phrases from their training materials, and I bet you can catch all of this.


> This is crazy. How are intelligence agencies, with the amount of money and free reign they have, not monitoring the whole Internet for this kind of stuff?

How do you know they aren't? They're probably focused on adversary nations, though.


Isn't free rein for a horse, not a king?


> Some flashcards uncovered during the course of this investigation had been publicly visible online as far back as 2013. Other sets detailed processes that were being learned by users until at least April 2021. It is not known whether secret phrases, protocols or other security practices have been altered since then.

Just gobsmacked by this, honestly.


It took me less than 5m to un-redact the information in this post. I found much more than this post details. Wild.


Yeah, they are redacting in the middle of text in a variable-sized font!


This speaks to a wider trend where tons of local software, especially mobile, is now assuming always-on network and syncing, transmitting data, demanding account creation/PII, and spying on your usage and memory contents (uploading crash dumps, system information, et c).

Very little software these days simply just runs locally and does the thing it's supposed to do on your own device without transmitting your private information to a datacenter (usually owned by a giant US corporation). This is a problem for all of society (especially those companies and users outside of the US), not just runners on secret bases or students in missile sites.


This is actually hilarious, alongside shocking and scary. But the hilarious part is the cool info you can get by launching benign apps. Hey our flashcard app got popular check out these nuclear weapons secrets people posted on it!

When I was dabbling in apps and mobile apps, I encountered several unintended benefits of the data I collected which had nothing to do with my original purpose or vision. This reminds me of that.


Once had a conversation with a soldier who handled IT on base. He told me that officers could and did demand that he bypass security, VPNs, etc and install software of their choice to use it on their computers. They outrank him, and "that's against policy" was not an argument. This was maybe ten years ago. Sounds like things have only got worse.


Sad that it works like this.

As an engineer, I got some training by legal, followed up by a high level exec explaining to us that in this context, we report only to legal and are required to say "no" to engineering leadership when something would go against legal's policies.

Also I think the military has something similar with medical officers.

So it could be done right.


I wonder who would be held responsible in case of security breaches. The IT soldier? The soldier who outranked him? Both?


> Two flashcards from the same set contain the squadron name “701 MUNSS”, and a phrase to make someone surrender weapons in Flemish, revealing that the security details in it apply to Kleine Brogel air base, Belgium.

The phrase is "Halt politie, leg uw wapens neer! Handen op."

There is no part of this sentence that would be unique to Flanders. In fact, "Handen op" is something I would expect to hear from Dutch people and never from Belgians, in Belgium it would be "Handen omhoog", but both ways the sentence is correct and would be be perfectly understood in both countries.

I'd also expect that the small inconsequential and intricate differences between the way Dutch is spoken in Belgium compared to the Netherlands are not taken into account in this context - they probably use the same for both countries, which would make sense considering it's already difficult enough. I think Bellingcat is emBellishing.


Dutch person here: it’s also “handen omhoog” in Dutch. This is probably a word for word translation of “hands up”.


Do soldiers get regular training in IT security? I assume there’s more rigorous security training for those who handle more sensitive information.

Were soldiers sharing flash cards or were they unknowingly posted online? The selling point for some flash card apps is lots of preexisting cards to study with and presumably app users are the ones creating them. That should hint that they’re stored online.

It would be great if app stores noted network access requirements. Does an app operate standalone? Is Internet access required just for ads or also for functionality? Where is app data stored? On your phone, in personal cloud storage, in a shared storage service just for users of this app or shared to the general public?

While Apple’s app store mentions none of this, there is a link to the privacy policy for each app. I’m not familiar with Google’s app store.

I wish browser extension repositories also provided network access requirements for each add-on.


Some of these still seem available via Google's cache[0] (both now deleted).

[0] https://webcache.googleusercontent.com/search?q=cache:85ved4...

[1] https://webcache.googleusercontent.com/search?q=cache:fNJwlH...


Bellingcat has pretty thoroughly censored this information they found on a public website.

Yet they don't do the same when investigating Russia - tables of private data were revealed there, together with details of military vehicles.

Makes you think about bellingcat motives.


I wonder if schools still teach kids that they can make flashcards with a marker and some cardstock, without using any software at all. Or have schools all gone 'paperless' with ipads and chromebooks?


The reason people like flashcard apps is not simply because they don't want to write with pen and paper, it is 1) they like spaced-repetition algorithms and 2) if you have a set consisting of many hundreds of cards (common in language learning) it much more convenient to carry one phone around than that pocket-bursting stack of cardstock.


The act of writing the cards is part of the learning process. Every time I make a stack, I end up knowing half of it before I even start 'using' it. With software cards, this doesn't work so well. And you can always put the stack into your purse or backpack if your pockets are small. I'm sure soldiers have somewhere they can put a stack of cards.


Again, you don’t understand the value some people find in spaced-repetition algorithms. For example, in language-learning decks involving hundreds of cards, writing the cards may lead you to remember the word on a short-term basis, but you are likely to soon forget it. A flashcard app using spaced repetition will ensure that you see that card at the right intervals so that you can retain it until you definitively internalize the word from seeing it used in context in texts.


> you don’t understand

Understanding an argument and agreeing with it are not the same thing. I understand the premise and argument for spaced-repetition algorithms, but I do not agree that these algorithms provide a meaningful advantage over paper cards when you consider that paper cards must be written. The act of handwriting cards is an advantage paper cards have over software cards, which I believe more than offsets any algorithmic advantage the software cards have.


i use electronic SRS flashcard stuff, and i hand write the material onto scrap paper when i first encounter it. i don't have to worry about keeping it neat/legible, i still get the physical connection, and it doesn't take up any space after i've written it.


Nit-pick: It's the US Air Force that guards nuclear weapons, not the Army. So, it's not "soldiers" involved but rather "airmen".

These service members are clearly real chuckleheads though.


Is it difficult knowing which buildings are 'hot'?

Surely a gamma ray detector pointed at the building long enough will detect signs of radioactive substances inside, even if well shielded.


It sounds like a bad idea to keep nuclear bombs in the Netherlands. A small country that produces and exports a lot of food without much usable land.


Fuck some people are dumb! And they have access to nukes too.

Heaven help us.


Conspiracy theory time:

Maybe a bad US actor deliberately leaked the information, but in a way that make it look accidental.

Or maybe the ex-President already leaked it in a private meeting, so it doesn't matter.


A piece of data more interesting than anything in the article are service numbers of soldiers there.

USSR spooks been for decades deducing troop numbers, and rotation schedules on NATO bases based on patterns in service numbers.

Not much changed since it seems.

Though, same was done for Russian troops in Crimea.


I'm as suspicious of USA military as any other thinking human, but let's consider TFA's source. "bellingcat" is a CIA-sponsored limited-hangout sock puppet, run by video-game enthusiasts, and that's all it has ever been. There is no reason to assume that any particular point in TFA, or TFA taken as a whole, is particularly true.


If you don't have clearance, you could verify this yourself. The info is still in search engine caches. If you do have clearance, then don't go about searching for classified info.


Occasionally salting in some verifiable bits is the "limited hangout" part. As TFA concedes, everyone who cared knew where these were already. Perhaps such people had mistakenly assumed that security was effective. At this time, there's no telling why the choice was made to disabuse the public of that notion, but that choice was not made within the bellingcat organization.


>"bellingcat" is a CIA-sponsored limited-hangout sock puppet, run by video-game enthusiasts, and that's all it has ever been.

Any links or sources for this?


They are very open about being funded by CIA cut outs like the National Endowment for Democracy [1]. If you're not familiar with the NED then you should read William Blum's description of them [2]. Radio War Nerd recently did an excellent two part series on the NED and spent a good amount of time talking about Bellingat, too. [3]

And as to them being a "limited hangout sock puppet" you're of course not going to find any source on this - because it's not known for certain - but in my opinion they are most likely something akin to that. They frequently get leaked information from US/UK intelligence organizations and they launder stories for CIA/MI6s. They might not know they are a limited hangout sock puppet for western intelligence but they certainly function as such. A good example is their actions around the OPCW leaks and claims of chemical weapons in Douma, Syria [4]. A lot of these stories unfold on Twitter so you'll have to search around

You can also search on HN - there's comments from many years past calling out Bellingcat as a front for western intelligence.

[1] https://twitter.com/search?q=from%3AEliotHiggins%20ned

[2] https://williamblum.org/chapters/rogue-state/trojan-horse-th...

[3] https://podcastaddict.com/episode/121232504

[4] https://thegrayzone.com/2021/03/24/author-bellingcat-opcw-wh...


Huh, is that "Radio War Nerd" aka War Nerd aka Gary Brecher aka John Carroll Dolan? I used to read his stuff all the time in the early aughties. It seemed like he was the one other person in the world who liked explosions and wasn't also taking crazy pills (i.e., literally the rest of the media corps).

Dolan came up with Matt Taibbi and Mark Ames in the eXile ( Moscow in the 1990s! Wow!) then did his own thing. Ames wrote `В Россию с любовью` sometime in the aughts. Taibbi we all know.

They're all still best buddies; who knows what kind of crazy stuff they got up to in 90s Moscow. Funny stuff.


Thanks for the details. I'll do some more digging.

Also, why do you think a CIA-affiliated site would do a write-up on this? Seems like it makes soldiers and their secure info look bad.


With USA military and unsupervised services, the primary goal is spending money. They DGAF about security of nuclear weapons in Europe. Those in charge don't even take any particular pride in their supposed "mission". This story could be helpful if someone in Congress were balking at a costly new IT project. Or it could be something else. From some sources, the signal-to-noise ratio is infinitesimal.


Situation is pretty dire, seems like you need someone to save the day.


Russia says so, it must be true.

If it is true, the CIA doesn't much like Israel's habits in Palestine.


The American military are just humans like anyone else.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: