Fresh Security Breaches At Los Alamos 127
WrongSizeGlass writes "MSNBC is carrying Newsweek reporting on two new security breaches at Los Alamos. Both of these latest incidents were 'human error' on the part of employees. In one, an e-mail containing classified material was sent over the open Internet rather than through the secure defense network. In the other incident, an employee took his lab laptop on vacation to Ireland, where it was stolen out of his hotel room. The machine reportedly contained government documents of a sensitive nature."
Human element is the greatest danger (Score:5, Informative)
In the information security profession, several classes of threats to security, including physical security, are enumerated. However, the most significant threat of all, and one that can subvert even the best-laid plans for security, is the threat from human action. This threat is unavoidable, as humans are necessarily an integral component of any operation an organization may wish to secure.
The human threat can take the form of threats internal to an organization, and each of those threats can be intentional or accidental. Because of the access an internal person may have to sensitive areas or information, the threat from the actions of internal person are often rightfully considered the most severe. An internal person may also unwittingly act in concert with an external person who is a threat to the organization as well.
A recent example of such a failure of physical security occurred when a 31-year-old man attempted to enter the United States from Canada at the border crossing in Champlain, NY, on May 24, 2007. Upon presenting identification, the Customs and Border Protection agent handling the man's entry received a computer alert. The alert warned that agents should immediately don protective clothing and detain the individual, notifying the originating authority.
The next steps seem obvious: the man is detained, and border agents run the message up the notification chain, CDC eventually learns that the man in question has been located, and appropriate action is taken. The system works.
What happens instead is that the man is allowed to enter the United States with no further questions, and is at the border crossing for a total of less than two minutes. The agent later says he thought the warning was discretionary, that the man "seemed fine", and therefore let him proceed. Every part of the system worked: the CDC was able to properly place the man on appropriate watchlists, his passport was properly flagged upon entry, and relevant information was presented to the processing agent.
Every part, that is, except the human part.
The man in question is Andrew Speaker, an Atlanta lawyer who traveled with his fianceé to Europe for his wedding and honeymoon. While in Europe, he subsequently learned that further testing revealed that he was infected with Extensively Drug Resistant Tuberculosis, or XDR TB, a form of tuberculosis resistant to a wide variety of antibiotics and treatments, and which can have a 70% mortality rate. The CDC and health authorities did all they could to attempt to restrict his further travel, and thus protect the public at large. Speaker sidestepped No-Fly and other watchlists by flying to Prague, then to Montreal, and then driving to the United States.
The Department of Homeland Security has placed the agent, whom it has not identified, on leave while it reviews the incident, and related processes and policies. When a human charged with the ultimate protective responsibility errs, no amount of technology can solve that problem. What if this had been a man identified as on the way to the United States to intentionally spread an infectious agent? The frustrating element here is that all of the underlying information and identification systems were working - which is itself encouraging - but the individual
Re:Human element is the greatest danger (Score:5, Interesting)
Sounds to me that his actions were completely intentional, that he was not at all concerned about the health of others, that he wanted to fulfill his desires regardless of how it might affect others.
I wonder if there are charges that could be brought up against him.
In any case, you make a very good point about the human factor in security.
Re: (Score:1)
Sounds to me that his actions were completely intentional, that he was not at all concerned about the health of others, that he wanted to fulfill his desires regardless of how it might affect others.
I'm sorry, did you miss the part that said he is a lawyer?
FTGP:
The man in question is Andrew Speaker, an Atlanta lawyer who traveled with his fianceé to Europe for his wedding and honeymoon.
I guess they can't all be decent, hot dog loving [imdb.com] citizens, can they?
Re: (Score:1)
That would be a very heroic thing to do, and I doubt that most of us would even venture into doin
Re: (Score:2)
Heroic? Since when is doing a right thing, like not putting others in mortal danger, heroic? If that were the case, then not driving my car 50 mph over the speed limit would also be heroic.
What you describe as normal is also selfish and wrong.
Re: (Score:2)
1 check into his local hospital
2 get secure transport to %hospital IN PROPER HAZMAT
3 get cured
4 PROFIT!!
Re: (Score:2)
Of course they were intentional. You don't accidentally pack a laptop. Well, I guess you could, but it would be difficult. He did not intend for it to be stolen and if you can't have a reasonable expectation that your stuff will NOT be stolen then we have a much larger problem to address.
So many brilliant absent
Re: (Score:2)
Sorry about that. Although I thought essentially the same thing about the laptop loser, I meant the TB infected knob mentioned in my parent post.
And, the parent post actually calmed my thoughts about the laptop in that the goof had permission to take it out of the country. I think we might have a bit of sensational reporting going on here meant to stir you and I up about something that could happen but didn't.
Re: (Score:2)
I'm not much fun at parties. A benefit to seeing things in a very literal sense is blissful oblivity when someone's trying to trip a bug I just don't really suffer from, empathy. I have a sense of empathy, but its not so .. dilluted by the time
Re: (Score:2)
You don't read any news outside of Slashdot, do you?
The man's went to check with its GP to know if he could travel, and was cleared to go.
Next time you go and accuse people of wrongdoing or just want to troll around, check your facts.
Oh..I forgot, we're on Slashdot. Nevermind then.
Re: (Score:2)
You should read the parent I was responding to. It has the context of my remarks, which were not about the laptop fellow.
Re: (Score:2)
Re: (Score:2)
Wasn't that his future father(-in-law) who told him that?
Ultimately, he sent up flags at the border when entering the country and he seems to have entered the country in a roundabout way so as to minimize the scrutiny of the government/CDC. If that is actually the case, why would he do that if he was so confident that he was not a threat to others?
Re:Human element is the greatest danger (Score:5, Insightful)
Re:Human element is the greatest danger (Score:5, Insightful)
Warnings on a passport to detain, immediately don protective gear, and notify DHS and CDC?
Not many.
That's why the agent's handling of this is such a big problem. And it represents another aspect of human failure in security.
Your point about false alarms is a valid one; this just isn't one of those examples.
And for anyone who is thinking about No-Fly lists or watchlists possibly falling into the "too many false alarms" category, they don't. When a name is on a watchlist, more detailed information about the person (e.g. DOB, addresses, etc.) is passed up the chain to any number of originating entities or authoritative sources. If that is the target, instructions for handling are passed back. If it isn't, the person is cleared. The reason why it's done this way is for a variety of reasons, not the least of which is so that people at airline ticket counters or fronline TSA staff don't have access to classified or private personal information (beyond what is volunteered or required to be given by the passenger) when processing passengers, to say nothing of the enormous technical complexities involved. That's why you hear stories about people not being able to "get off" watchlists. It's not "them" that's on the watchlist; it's someone who shares that - or a similar - name. That's why people who aren't actually wanted for anything whose names are on "watchlists" are always allowed to fly after the check. Persons in such situations who are frequent travelers are also able to get special documentation to solve this problem. But "they" can't "get off" the watchlist, because it's someone else who is on it, and that's what the detailed checking process confirms. Yes, it's a very, very imperfect system, but identification has always been a cornerstone principle in law for recorded history. We're using the best balance of technologies and privacy we have - really - to attempt to identify persons who should not be allowed to enter the US, fly, etc.
Re: (Score:2)
If the border agent gets lots of false alarms from other watchlists, then he's not going to read any of them carefully, and he's not going to trust them.
Are the alarms he gets rated on a simple severity scale (e.g. 1 to 10)? How many alarms does the agent get that received the same rating or higher as this one did?
Re: (Score:2)
It sounds great and all that all these protocols and information are available. But I doubt that a security guard who only gets a warning once in a while would ignore "wear protective gear and detain."
The Watch Lists are probably causing this problem. They need a name and a detailed discription of the suspect. So that "John Doe" doesn't get stopped. Too much detailed information on everyone is wrong, but too little information about a s
You say Usama I say Osama... (Score:2)
The problem is that many terrorists don't come from western countries, they don't even have the Latin alphabet at home. Passports are supposed to have names in Latin which are used for comparison but there are multiple possible mappings between say Arabic or Cyrillic and Latin. Dates of birth can also be ambiguous. Believe me, I worked on the problem of identifying people on watch lists for banks. Not only do names and dobs present problems but even the watch lists from say the US and the EU show discrepanc
Re: (Score:2)
His job is to observe the warnings and follow protocol. The fact that he could not see his way through to doing this implies that he should be terminated, and hopefully, held responsible for his negligence.
If you don't want to do the job, don't take the paycheck.
Re: (Score:2)
Good at reducing complaints about the system, at least. Maybe not good at keeping intelligent employees.
Re: (Score:2)
You have committed the logical fallacy of "attacking a straw man" - I didn't say that they shouldn't report false positives, but that they should follow protocol. Not following protocol is how you get fired.
Usually, reporting problems with the equipment falls under "protocol".
Please do not attempt to make me loo
Re: (Score:2)
Try this: take a few words you type every day out of your spell checker's dictionary, so that every time you type them they
Perceived status as an issue (Score:5, Interesting)
In the UK, a large number of intelligence protection failures have occurred basically because of the perceived status of the perpetrators. (the best known cases being Philby, Blunt, MacLean and Burgess, all of whom were fairly upper class members of the Intelligence services.) In his fictional books based on composites of the Philby-Burgess case (A Perfect Spy and Tinker,Tailor,Soldier,Spy), John le Carré (who was in a position to know) suggested that the Intelligence services suspected or half knew that they had traitors in their midst all along, but were inhibited from acting against fellow members of the upper classes and their own community.
It would be very interesting indeed to know how far this culture extends into research establishments. It would be expected to be quite pervasive because of the esprit de corps among any professional group.
Of course, perhaps the real answer is that scientists and engineers, by their nature, are the worst people to be allowed to work on secret weapons systems because it contravenes their tendency to want to cooperate, share knowledge and see their own work published. Let's replace them all with Fortune 500 CEOs. That should result in a real peace dividend.
Re: (Score:2, Interesting)
Re: (Score:2, Funny)
"The good news is that you'll make your flight on time. The bad news is that you have an enlarged prostate gland."
Re: (Score:2)
Fortune 500 CEOs (Score:1)
We could make a 'great' start by putting Haliburton on the list.
I would be worried that they might outsource the research to China though. That might caus
Re: (Score:1)
How does the user control email? (Score:5, Insightful)
I'd think, like virtually every other email system in the world, that users would have their MUA configured to send outbound email via a single mail server, where all further routing is under administrative control. Do they allow connections to that server from outside?
I could understand the issue, if it was someone sending to an external, insecure email address. But the summary, article, and now you all say the problem is with which network the email was routed over. The other possibility is they were off-site, and didn't have a secure VPN connection running - buy why would a secure system not force SSL email connections? Or is sending even over VPN/SSL not considered secure?
It's just not clear how the user has the control implied here.
(or is it that they're allowed to have personal email accounts on their machines, and that's where the email was sent from?)
Re: (Score:3, Informative)
No. They just send classified information from an unclassified workstation and an unclassified email address, almost like any person would send email in any workplace. That's why some public areas have big signs that say DO NOT DISCUSS CLASSIFIED INFORMATION or watch officers answer phones with, "Good evening, Lt So-and-so speaking, this line is not secure. May
That's quite different... (Score:2)
It seems to me that just as serious as how the email is being routed, perhaps more so, is how classified material got on the unclassified workstation in the first place (you mentioned one possibility), and why is that not also being reported as a violation. (i.e. why focus on the email aspect, that's just a result - the
Re: (Score:2)
And that also doesn't stop someone from simply manually typing an email message whose substance contains classified information. Not all classified information comes in the form of a document that will be an attachment...it could be just as simple as discussing a classified project or something similar, and then the recipient reporting the "breach". Without more information about what h
Re: (Score:1, Informative)
None of these technical considerations have anything to do with it. Classified and unclassified computing are totally disconnected. The only way classified info unintentionally gets sent on an unclassified network is if the user manually
Re: (Score:1)
The incident is reported to be perpetrated by high level management at LANL.
High level managers get to take classified laptops with them wherever they go, probably.
For your daily dose of Lab cynicism, be sure to read The LANL Blog [blogspot.com].
Article is Crap. here's actual press release (Score:3, Interesting)
That must be a "sensitive" document... (Score:2)
Link moved. (Score:2)
Re: (Score:2)
Excuse me. Back when I was doing gubmint (DOD) work, connecting a machine with classified data stored on it to an unclassified network with unmonitored connections to the outside world would have gotten you ten years and/or $10000. Appa
Re:Human element is the greatest danger (Score:4, Insightful)
But nothing stops someone from typing up an email that contains classified information and sending it from their unclass account, inadvertently or otherwise. It's not like they magically need to be on JWICS to send top secret information. That's why we segregate the networks, yes - to attempt to prevent this from a technical standpoint as much as possible.
Also, there are ways to migrate information between networks, and those can be abused or used inappropriately. There are a lot of ways this accident might occur, and it probably happens more than we'd like.
Re: (Score:2)
There is a fairly good argument that that work should not be done at LANL, but as long as it is, they need realtively accessable public communication. Another consideration is that for some non-classified research, the govt. also wants the ability to classify parts
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
What happened here was plain human error (stupidity). I've had users ask if it's OK to take work laptops to Canada. Hello, they're still a 'foreign country'. Just because they speak English and have decent beer doesn't change that. There is a security mind set that some people just don't get. They try to re
interesting but a bit technically inaccurate... (Score:2)
...In the email instance, anyone can at any time send classified information over an unclassified network. It is up to the user to not do this. Granted, there are various technical and other procedures that can help prevent this, but it can never be completely avoided. These incidents seem rather tame, but since Los Alamos is under the microscope, every such incident will be greatly scrutinized - and sometimes blown out of proportion.
It's not possible to inadvertently email classified information off the DoD classified network - the classified network isn't connected to the internet for this reason ;-)
The user would had to have moved the data off the secure network to send it over the internet.
Re: (Score:2)
The user would had to have moved the data off the secure network to send it over the internet.
Or, you know, simply manually typed in information that was classified.
All classified information isn't in the form of preexisting documents that would be attachments. It's actually possible to discuss it verbally or via email, you know, and still
Re: (Score:2)
Yes, the data would have had to have been either transferred to the unclassified network or duplicated on it, but 'inadvertent' implies error when in reality the user would have had to bypass several safeguards to send a classified email on an unclassified network.
nah (Score:2)
Somebody confuses the government's classified project code word with the company's unclassified project name... oops.
Re: (Score:3, Insightful)
Any human system works best with "targeted" warnings. Yet the HS system seems designed to scan everything. It's like finding a needle in a haystack by ordering more hay.
So the man with Tuberculosis got through, because a lot of people who shouldn't be on a watch list break the system. We probably have worse security response now than before 9/11. I certainly
Re: (Score:2)
1 Small Shield = "person of interest"
2 Large Shield = "felon/ federal POI"
3 Rad Hazmat = nuclear type person (should have a number for level 5 = guy glows in the dark)
4 Bio Hazmat = guys with known infections ( same deal 5 = quarantine the guy )
5 Chem Hazmat= folks that play with funny chemicals ( 5 = quarantine the guy)
6 $ symbol = rich persona non grata
then have the gibbering/details
Re: (Score:1)
If SNL (and any other government agency for that matter) had stricter rules regarding personal use outside of work, them things like this might not happen as often.
a quick search yields:
http://www.washingt [washingtonpost.com]
One mail? (Score:3, Interesting)
So he sent one mail and it was intercepted? Damn, this puts the "insecurity" of email communication in an entire new light.
Re: (Score:2)
No, there are probably plenty of other instances of classified information being sent over unclassified/insecure networks.
This is just one that was identified.
And what probably occurred is that the recipient realized what happened, and reported it.
(But, by your last statement, do you really think the national laboratories shouldn't try to prevent classified information from being sent o
Re: (Score:2)
Or the recipient was expecting it and had been instructed to report it when recieved. How better to make the Iranians think it's genuine information regarding ancillary nuclear weapons components? The CIA slipped bugs to Soviets [msn.com] before, and there have been reports that the US and European countries have been doing the same kind of thing to Iran to slow their nuclear program.
Re: (Score:1)
There is no indication in TFA that the email was "intercepted" by anyone. The sender distributed an email containing classified info to multiple recipients over the public Internet and someone (probably one of the recipients) reported the violation. Of course, a copy of the message might very well be sitting on a non-gov't server somewhere. Maybe the sender actually encrypted the
An employee took his lab laptop on vacation (Score:3, Funny)
Re: (Score:2)
Re: (Score:2)
yeah, but that was before modern miniaturization of devices.
It's alright for a large tape machine to slowly self destruct in a phone booth, but don't nobody want their Palm Pilot exploding just after putting in their pants' pocket!
Re: (Score:2)
It's not really an indictment (which is what I think you meant to say) of anything. I'm not sure why this is modded up; there's no reason for a laptop that doesn't even have classified information to be set to self-destruct if its departure isn't approved, and unless every single email is manually checked, classified information will always be able to be sent over unclassified networks. In fact, someone with knowledge of c
Re: (Score:2)
Re: (Score:1)
Re: (Score:3, Insightful)
Right. We should make the laptops constantly read some sort of signal that fades away out of the pentagon, for example.
If the signal fades away, the laptop explodes.
Now combine this with the recent news about NSA brownouts, and we're effectively decimating our military in few minutes.
Or how about a laptop battery fire causing the explosive to go off.
Who would walk with a ticki
Re: (Score:1)
Sensitive nature (Score:1, Interesting)
I for one am sick of hearing about the military's sensitive nature. What was the document containing, poems about the war in Iraq or something?
We all know 90% of those documents have no reason to be hidden from anyone, except to hide the abuse and money laundering that's going on at furious speeds over there.
Re:Sensitive nature (Score:5, Insightful)
I'm not a fan of conspiracy theories, but if you honestly believe their strategy is competent and it's money wise spent, then I better be a tinfoil beanie.
Just because you don't care doesn't mean our enemies don't either.
Don't forget: they're not "our enemies". They're just the US military/govt current targets.
Why on Earth would Iraq be your enemy as a US citizen. What did Iraqi do to you or your US buddies. The only thing happening in Iraq right now is a bunch of citizen wars, caused by the invasion by USA in there. Saddam is dead, there weren't WMD-s in there, and Iraq had no connection to the 9/11 attacks.
I don't like how short people's memory about those things is.
Re: (Score:2)
Re: (Score:1)
Re: (Score:3, Insightful)
The middle east is not one amorphous entity. Some parts of it, say Palestine, really do have a long tradition of violence. The Ba'athist government was a stable, secular dictatorship which did commit atrocities, but it was nothing like the full on neighbor vs neighbor civil wa
Re: (Score:1)
Very neighborly.
Re: (Score:2)
Re: (Score:1)
a) the guy's own non-classified research
b) His address book with the phone numbers of his Lab buddies
c) Something with his social security number on it
All those things qualify as a government document of a sensitive nature, plus they're a heck of alot more likely than Iraqi convoy information.
Re:Sensitive nature (Score:5, Interesting)
So the "Los Alamos security breach" stories got big headlines and the "FBI screws up" got little headlines. Maybe there is a pattern there. As the newly privatized single-source nuclear weapons manufacturing company for the USA had a walk-out of 500 security guards over 36-hour work shifts and poor security protocols that didn't make headlines.
I think there is a dangerous move to privatize a lot of key military functions. And the FBI seems to bring up a lot of accusations before verifying the actual security risk.
Couple this with their seeming lack of interest in securing laptops and databases of American citizens. The rates is about a few million records a month. No biggie if some third party has your SSN right? The government can't have a Total Information Awareness database, but it appears that a private company can. Check out what John Poindexter (Iran/Contra felon) is still up to these days. Who knew he was such a great database expert?
Los Alamos is now privatized, and the good old "employee takes laptop with sensitive files and gets it stolen" oops is happening at rapid pace. Anyone want to be whether THAT particular employee gets reprimanded? My bet they will get a promotion. As does everyone who seems to fail upwards in this current administration.
http://www.fas.org/blog/secrecy/2007/05/los_alamo
Re: (Score:2)
1) There isn't any proof that anything was lost with Wen Ho Lee. The alleged problems continued AFTER he left. So, either the FBI got the wrong guy, there was another mole, or someone was doing something the FBI was OK with, and accusing Wen Ho Lee was a smoke screen (I know, that's a big deal -- but not beyond the realm of the scullduggery we are seeing today). I was reading some follow-up of the Wen Ho case -- that's what got me sort of suspic
Re: (Score:1)
I'm not a fan of conspiracy theories...
I am a fan of conspiracy theories - as I do not believe in fairy tales and am not cognitively impaired. Therefore, when everyone aboard those four planes on 9/11/01 are killed - I know enough to research the passengers' backgrounds and draw logical conclusions - sad to say, something which has become rather unAmerican.....
Also, I am aware enough to have looked at that next-day satellite photo of
Re: (Score:2)
Little mention of countermeasures (Score:3, Insightful)
Fact is that Los Alamos is a juicy media target and they will conveniently omit details like that to sell headlines.
Or the violators were pointy-haired managers that thought that high tech encryption stuff was only for the gearheads in the white coats.
Mod Parent Thoughtful (Score:2)
Of all the people employed by the government in this line of work, there's got to be many, many more cases just like this out there. How is it possible that this *one* government funded R&D facility has security problems that boil down to human error rather than process?
I have a feeling the others have the same issues, except this one is someone's punching bag. That someone is powerful enough to get the gears of government working against Los
Re: (Score:1)
LANL has been a punching bag for quite a while. After all, it's where those evil nasty nuclear weapons of mass destruction were invented.
Re: (Score:1)
This is just another example of sensationalist news reporting by 'journalists' who can't be bothered to do research beyond a bit of googling!!
Work laptop & vacation (Score:2, Insightful)
Even though I work in Corporate America, when I go on vacation, I want nothing to do with work during that time even though executive management gets upset that I don't want to be available for work related items such as calls in my absence.
I do take a laptop with me on vacation but it is for personal use such as personal e-mail, process digital pics, surf t
Text of the email (Score:4, Funny)
I'm going to be late home from the lab tonite so have dinner without me, we are just putting the finishing touches to the doomsday device so we can test it tomorrow.
Love you
xxxxxx
Something's still fishy here... (Score:2)
SIPRNET computers don't have internet access - or access to any other network. It appears to me someone would have to have taken the data out of the vault and composed it on an unclassified PC to send it anywhere off the secured network.
Re: (Score:1)
Re: (Score:2)
I problem I had while working with SIPR was people would bring in unmarked thumb drives and use their unclass email to transfer the data. We just educated the users and this problem dissolved.
Re: (Score:2)
they arent DoD.
The user in question probably had both class. and unclass. systems sitting on his desk, and typed too much information from one screen into the other one.
It happens.
Re: (Score:2)
source: http://www.gao.gov/new.items/d04375.pdf [gao.gov]
It's Also Worth Noting... (Score:3, Interesting)
But by yanking funding and threatening to "close the place down", those senators and representatives are risking a valuable National resource. It's their choice I suppose. But I don't think this continued beating down is very productive.
Los Alamos has name recognition. It makes great headlines every time anyone even takes a dump out there.
FFS (Score:2)
People should be fired/prosecuted for negligence these days.
you call this security .. (Score:2)
"The SIPRNET workstation may be used to download files from the SIPRNET. Anti-virus software has been installed and runs as a TSR program
Re: (Score:1)
Because of the size of the order, and importance for confidentiality, we recieved a "custom" version of NT. It had a different build number, a replacement GINA, and some other security features added in. If microsoft are prepared to do that for the UK Tax man, I would have thought that the US Military would get full sourcecode to aud
Re: (Score:1)
No where near the most up to date at the time. (We were running Solaris 8 and 9 elsewhere on site, and NT had already been removed and be
Crypto? (Score:3, Interesting)
Is it a gross simplification to state that using encryption would have rendered both mistakes harmless?
Is this really so hard for IT departments to set up PGP or one of its clones? Same goes for disk encryption? I have argued with people up and down who claim this is too hard to deploy, but I say that something is better than nothing, even if it nothing more than checking “encrypted folder” on your NT system.
These tools have gotten so easy to use these days and while I understand this is largely a social and policy problem, there is plenty of low-hanging fruit that can help mitigate the damage.
Re: (Score:2)
Is it a gross simplification to state that using encryption would have rendered both mistakes harmless?
[/blockquote]
No where in the story does it say the data on the laptop was *not* encrypted. In fact, the statement by one director that the user would've been granted permission to take the laptop to Ireland if he'd asked makes me believe is *was* encrypted.
Chris Mattern
Re: (Score:1)
The fool just didn't fill out the appropriate paperwork.
Sigh. Another non-event being blown out of proportion for no reason other than it originates from LANL, the left's favorite whipping boy...
Laptops are not and will never be secure! (Score:4, Insightful)
Given the ease of use and portability of a modern laptop you may as well just post a copy of the data to anyone who might be interested.
Stolen laptops are actually the lowest risk area, given that most laptop theives are after the shiny hardware and its so rare to come accross data with any resale value that they probably dont even look. A far greater risk for a high security installation like Los Alamos is someone borrowing a laptop for long enough to install some worm/trojans/keyloging software which the dedicated sceintist can then physically carry through all those firewalls back into the lab.
Any sane security profesional would just plain ban them from a set up with the security requirements of Los Alamos.
The best solution would be to have all hardware in a locked server room and only access them via "dumb" terminal servers. Plus a private network with no physical connection to the outside world.
Dirty email is not as ludicrous as it sounds (Score:1, Redundant)
I frequently see situations where a particular classified value could be de
Humans are the problem... (Score:1)
Biometrics needed. (Score:2)
As for the email, I'm surprised the even have a open link to the internet on a machine with sensitive information.
Re: (Score:1)
What I want to know is ... (Score:2)
Does that idiot still have a job? And if so