US Military Leaks its Secrets Online

athloi writes "Detailed schematics of a military detainee holding facility in southern Iraq, geographical surveys and aerial photographs of two military airfields outside Baghdad and plans for a new fuel farm at Bagram Air Base in Afghanistan are among the items accidentally left online by government agencies and contractors."

Keeping secrets

[Aminion]

And somehow, these people manage to keep secrets about aliens, JFK, weapon programs, etc.? ;)

Is there no way to do better?

[Aaron Isotton]

I find it a bit sad that such things keep on happening all the time (not only to the DOD).

I do realize that, while everyone agrees that "security" is a good thing, it often gets treated lazily for the sake of usability. Even though I think that giving "normal" (i.e. non-system administrator) users the right to just "put things on the server" (likely via FTP or Windows Shares) is just utterly stupid in any context where some sort of security is required. Things will go wrong because people just don't realize (and mostly aren't even interested in) the implications of what they do. I imagine something like this (I have seen that happening too many times):

Alice: Hey, Bob, where's that super secret document we're both working on?
Bob: It's on the SourceSafe (or whatever) server, you can check it out
Alice: Awww, my SourceSafe isn't set up properly and it takes too long. Can you E-Mail it to me?
Bob: Sure! (wants to email the document)
Bob: Darn, the attachments have to be less than 500kbytes, otherwise it won't send it. I'll put it on the W: drive!
Alice: Ok, thanks!

The ideal solution to this kind of problems would be an USABLE operating system with some kind of sensible data flow tracking (e.g. you can't copy a 'classified' file into a 'not classified' folder or upload it to a 'public' server) and which doesn't get in the way all the time.

Example: I worked at a company where we had Lotus Notes internally. Additionally to the other fabulous features (such as speed, stability and an intuitive interface) of that wonderful software it supported sending 'confidential' and 'highly confidential' mail. The result of sending a 'highly confidential' mail was that you couldn't copy/paste from a mail, which was just great when someone sent you a 60 characters long windows share path and you had to type it all into windows explorer. That is what I mean by 'get in the way'.

Is there any (operating) system out there with some sensible, security-aware data flow tracking? Such as 'when you copy something from a classified document into a non-classified document the non-classified one becomes classified'? Or attaching this kind of security information to files or other objects? I know that this is a major topic of research in computer science, but have never seen it in real use.

Re:How egalitarian

[Marxist Hacker 42]

I'll root for the home team the day they get a competent coach who knows something about basic tactics and the proper use of overwhelming force, as well as how to budget properly.

Re:Keeping secrets

[kd5ujz]

They still have some people believing Saddam had WMDs, so I do not see a JFK/Alien/Roswell/Moonwalk cover up out of their reach. :P

Re:How egalitarian

[Elemenope]

Well, the other reason I root for the home team is I am acquainted a few of the players, and sometimes when they lose, they die. I don't want them to die, hence, I want them to win, or at least to stop playing and go home.

Re:Is there no way to do better?

[qzulla]

Is there any (operating) system out there with some sensible, security-aware data flow tracking? Such as 'when you copy something from a classified document into a non-classified document the non-classified one becomes classified'? Or attaching this kind of security information to files or other objects? I know that this is a major topic of research in computer science, but have never seen it in real use.

I work in a class environment. I'll try to answer this.

Why should the OS care? Who is going to build an OS that can determine what is class or not. That is the owner of the datas (data's?) job. The computer does not care. It happily does what it does - manage data. It is not its job to determine what is safe and what is not.

That is for people to determine. In the end it is people who decide what goes where. I like it this way as there is some accountability and a paper (electronic) trail.

So you write an app that determines what is class. Oops! The DB is down/not up to date/hosed by a virus. In other words, you is funked.

Air gap. We have that. Locked ports. We have that. Two man rule. We have that. Can't talk beyond this. Sorry.

My point is technology can only go so far in protecting stuff. The people doing this stuff only need to think of a few words.

VPN. SecureID. One time passwords.

But ftp with no passwords and not even sftp with passwords?

Fire them all.

qz

Re:"accidental" my butt

[Anonymous Coward]

such stuff dont get just "forgotten" - military is not a place that permits human errors to happen frequently

a hahahahah

hahah
hahahahahahhaah

wmahahahahahah

errhhhhh... I needed that :-)

Re:Keeping secrets

[NMerriam]

The world witnessed Saddam use his WMD against the Iranians and Kurds on multiple occasions. This takes the notion that he had WMD out of the "belief" realm and plants it solidly in the "proven fact" category.

We didn't claim to invade for weapons he had in the 1980s (when he was an ally and we were PROVIDING him weapons and technical expertise). We claimed he had WMDs in the year 2003 and was refusing to get rid of them *in 2003*. Please, stop trying to move the goalposts to make yourself feel better about wasting a trillion dollars and thousands of lives.

Re:How egalitarian

[Anonymous Coward]

This is a pretty misleading headline. U.S. Military? These are government contractors, civilians that do not have a clue about IT security and have not even considered what their actions can result in! This really bothers me because for the most part, your military is a cross section of society, coming from all different parts of our culture. When these stupid civilians put lives at risk, possibly mine, I would like to put them on the gate of any compromised base. I bet they would take security much more to heart. Their actions all boil down to a company that wants to make a buck by showing what a great fing job they are doing to fight the war.

As an active duty Marine, I completely agree with your statements on privacy, I appreciate what little privacy I enjoy and your right to privacy is one of the reasons I have served for 20+ years. I do however take issue with your comparing this instance with our current administration and congress and the military. Politicians are the government that you refer to, not those of us on the ground that are carrying out the fight. Most of us hate the politicians worse than any normal citizen, we fight, bleed etc, they get elected or re-elected based on the B.S. they can sell to the American public. There is not one single politician that has any integrity that I know of.

Heck, this administration forced me to not be a republican anymore and I will never be a democrat. They all are liars.

Re:How egalitarian

[Elemenope]

Way to ignore most of the sentence. Let's review:

In framing a government which is to be administered by men over men...

In other words, governments must be composed of human beings...

the great difficulty lies in this: you must first enable the government to control the governed...

Humans without some enforced public order are brutish and generally nasty. The establishment and maintenance of public peace is what the Founding Fathers (tm) meant by 'control', not manipulation, either crass or subtle, of a person's desires and fears, as the term is generally understood today...

...and in the next place oblige it to control itself.

Which is the part you simply ignored. In order for a government to have power enough to, ahem, *govern*, and yet be limited, some *ideals* must be made manifest to rule over the baser instincts of those *men* of which the government is ultimately composed. That is the purpose of a constitution, as a codification of principles that justify the continuity of a government so long as that government remains faithful to those principles. The idea was to establish limits upon the reach of authority by delegating specific powers to government and assuming (and later explicitly stating) that the rest were out of reach.

Governments control people just fine without a constitution. The Constitution's purpose was to delimit and control the Government, as Madison himself indicated in that passage; this was the solution to the second half of the problem that the Federalist papers were written to argue for, that a Constitution was the best way to oblige a government to control itself and yet be capable of governing in a way that the prior system (Art. of Confed.) could not.