[ExI] Wikileaks

[BillK]

On 12/9/10, Eugen Leitl wrote:
> On Thu, Dec 09, 2010 at 02:44:40PM +0000, BillK wrote:
>
>> The problem is that in the internet age security is actually a very
>> hard problem.
>
> The Internet has nothing to do with it.
>


You would need a very big briefcase to get hundreds of thousands of
documents into before networked computers, CDs and thumb drives
appeared.



>
>> <https://secure.wikimedia.org/wikipedia/en/wiki/SIPRNet>
>> Quote:
>> A 1993 GAO report estimated more than 3 million US military and
>> civilian personnel had clearance, and access is also available to a
>> "...small pool of trusted allies, including Australia, Canada, the
>> United Kingdom and New Zealand...".
>> -------
>>
>> So, try and secure that!   Not only US computers, but allies computers as
>> well.
>
> Typically you compartmentalize by need to know basis. You can use
> smart tokes for authentication and serve information keyed to said
> token, and use secure terminals in secure location. It is also
> easy to log access, lock out on recognized access patterns, introduce
> watermarks to each analyst account. Just because it has not been
> done in this case it doesn't mean it can't be done.


That's fine for small, tightly controlled networks.
We're talking about millions of computers under the control of
thousands of different
organisations.



>
>> The big problem with role-based security is that staff roles change
>> all the time. And it is difficult to decide what level the 'need to
>
> If you don't revoke access when the role changed than you know what
> you're doing wrong (or right) already.
>


Nowadays most people don't have one strict role. They do work for
several bosses and departments.  Security admin gets to be a real pain
sometimes.


>> know' stops at. So most organisations give people more clearance than
>> they need, 'just in case'.
>
> Spooks are not most organisations.
>


Spooks are a small part of the US government networks. And even they
are complaining about (or just ignoring) the latest controls (see
below).


>> Staff regard security as an obstacle to doing their job and quickly
>> find ways to bypass security measures that get in their way.
>
> You know what do with such staff.
>


Yea, I'd love to be a ruthless dictator as well.


<http://www.wired.com/dangerroom/2010/12/military-bans-disks-threatens-courts-martials-to-stop-new-leaks/>

Quote:
Maj. Gen. Richard Webber, commander of Air Force Network Operations,
issued the Dec. 3 “Cyber Control Order” — obtained by Danger Room —
which directs airmen to “immediately cease use of removable media on
all systems, servers, and stand alone machines residing on SIPRNET,”
the Defense Department’s secret network. Similar directives have gone
out to the military’s other branches.

An August internal review suggested that the Pentagon disable all
classified computers’ ability to write to removable media. About 60
percent of military machines are now connected to a Host Based
Security System, which looks for anomalous behavior. And now there’s
this disk-banning order.

The order acknowledges that the ban will make life trickier for some troops.

“Users will experience difficulty with transferring data for
operational needs which could impede timeliness on mission execution,”
the document admits.
-----------


It could get tricky if these security measures cause mission execution problems.
People could be dying while the data is kept secure.

Security is always a trade-off.

And, of course, in the end the US military can only secure its own
computers, which is only part of SIPRNet.


BillK