Yes, no argument here. I wrote "hack" as a shorthand because I was typing via mobile and was lazy this morning :).
edit: (I mean I agree with the background facts you've stated, but I think it is still a "hack" based on other related facts, and it's my fault for not elaborating in the parent comment)
In any case, I was just pointing out that the military's information infrastructure is not bulletproof, so to speak. This applies to public facing websites and in Manning's case, to secure access protocols (for example, in what other organization would unmonitored, unchecked access to critical files be given to someone barely older than a college senior?).
But I do think that this was a "hack", if an unsophisticated one. He may have had authorized access to those files, but he did not have authorization to transfer those files over the "air gap". Here's how he described his exploits to Adrian Lamo in chat logs:
...lets just say someone* i know intimately well, has been penetrating US classified networks, mining data like the ones described ... and been transferring that data from the classified networks over the “air gap” onto a commercial network computer ... sorting the data, compressing it, encrypting it, and uploading it to a crazy white haired aussie who can't seem to stay in one country very long =L [...]*
(02:12:23 PM) bradass87: so ... it was a massive data spillage ... facilitated by numerous factors ... both physically, technically, and culturally
(02:13:02 PM) bradass87: perfect example of how not to do INFOSEC
(02:14:21 PM) bradass87: listened and lip-synced to Lady Gaga's Telephone while exfiltratrating [sic] possibly the largest data spillage in american history [...]
(02:17:56 PM) bradass87: weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis ... a perfect storm [...]
-----
Yes, this "hack" of Manning's required little more than a USB drive, perhaps, but that was my original point: parts of the military system are relatively untested, allowing such critical oversights...so a SQL vulnerability in a public facing military website is not a huge surprise.
Well he would have had technical authorization to transfer files to a CD (I've burned classified CDs myself). It's hard to prepare a classified briefing for your chain-of-command without a way to get the files onto the air-gapped presentation computer without network access, and there are known security issues relating to USB thumb drives so it would make perfect technical sense to require CD drives be used. You just have to label it properly, handle it properly, etc.
You could argue that the system could have technical measures in place to see that the CD-R was being filled, used repeatedly in a short period of time, etc. but that could be worked around too.
He's exactly right that trusting an insider is a perfect example of how not to do INFOSEC, but that was a risk the military judged was of lower danger than the risk associated with artificial constraints on the ability of the military and government to cooperate on anti-terrorism.
Pretty much any measure the gov't and military put in place in this area to protect against the future Mannings of the world will at least slightly inhibit their ability to detect and prevent future terrorist strikes, I guess we'll have to see what they've chosen to do. :-/
edit: (I mean I agree with the background facts you've stated, but I think it is still a "hack" based on other related facts, and it's my fault for not elaborating in the parent comment)
In any case, I was just pointing out that the military's information infrastructure is not bulletproof, so to speak. This applies to public facing websites and in Manning's case, to secure access protocols (for example, in what other organization would unmonitored, unchecked access to critical files be given to someone barely older than a college senior?).
But I do think that this was a "hack", if an unsophisticated one. He may have had authorized access to those files, but he did not have authorization to transfer those files over the "air gap". Here's how he described his exploits to Adrian Lamo in chat logs:
http://en.wikipedia.org/wiki/Bradley_Manning#Diplomatic_cabl...
...lets just say someone* i know intimately well, has been penetrating US classified networks, mining data like the ones described ... and been transferring that data from the classified networks over the “air gap” onto a commercial network computer ... sorting the data, compressing it, encrypting it, and uploading it to a crazy white haired aussie who can't seem to stay in one country very long =L [...]*
(02:12:23 PM) bradass87: so ... it was a massive data spillage ... facilitated by numerous factors ... both physically, technically, and culturally
(02:13:02 PM) bradass87: perfect example of how not to do INFOSEC
(02:14:21 PM) bradass87: listened and lip-synced to Lady Gaga's Telephone while exfiltratrating [sic] possibly the largest data spillage in american history [...]
(02:17:56 PM) bradass87: weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis ... a perfect storm [...]
-----
Yes, this "hack" of Manning's required little more than a USB drive, perhaps, but that was my original point: parts of the military system are relatively untested, allowing such critical oversights...so a SQL vulnerability in a public facing military website is not a huge surprise.