Russian Spy Ring Needed Some Serious IT Help 191
coondoggie writes "The Russian ring charged this week with spying on the United States faced some of the common security problems that plague many companies — misconfigured wireless networks, users writing passwords on slips of paper, and laptop help desk issues that take months to resolve."
Encryption (Score:5, Funny)
They encrypted everything using ROT13, TWICE! How much better security can you get?
Re: (Score:2)
Except that Cyrillic has thirty-three letters, not twenty-six. Therefore, they did ROT11 three times.
Re: (Score:2)
Lets not forget about the ultimate, ROT52. 4 times the security at only 4 times the price. From what I understand, it's to be the new official government standard for encrypting classified documents. AES is just too hard to do with a pencil and paper.
Re: (Score:2)
Re: (Score:2)
Three layers? And this obfuscates sufficiently?
How odd!
Re: (Score:2)
This is STRONG encryption.
Re: (Score:2, Funny)
Writing passwords isn't necessarily bad (Score:4, Insightful)
http://news.cnet.com/Microsoft-security-guru-Jot-down-your-passwords/2100-7355_3-5716590.html [cnet.com]
Of course, the rules are a bit different when you're a spy :)
Thats the least of their problems. (Score:2)
Writing the password probably isn't as smartest way to save it but lets be realistic, nobody can remember a 26 character password. It's bound to be written somewhere even if it's written in a PGP encrypted email message to self.
Re: (Score:3, Insightful)
nobody can remember a 26 character password
abcdefghijklmnopqrstuvwxyz. If preschoolers can learn an arbitrary sequence of meaningless symbols totaling 26, then I think it's possible.
Plus, your sentence is longer than 26 characters and so is this one.
Re: (Score:3, Insightful)
That would be fine, but then having to learn a new one every 12 weeks because of a password expiration cycle--that's when it gets impossible. You are always recalling fragments of the old password...
Re: (Score:2)
And sentences using dictionary words are hardly secure.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
What I have seen people mess up seriously on was reciting the alphabet forwards, starting and stopping at arbitrary letters (e.g. recite it from "d" to "o").
Re: (Score:2)
I have remembered several password this long and longer. I have no idea what they are, but I can type them every time.
Re:Thats the least of their problems. (Score:5, Funny)
That is indeed the least of their problems. I've heard their computers were themselves full of
(puts on sunglasses)
spyware.
Re: (Score:2)
I don't doubt it. The FBI ain't all n00bs, and no doubt can pull up the keylogger logs for the computers of any number of bad-actors.
Re: (Score:2)
YEAAAAAAHHHH
Re: (Score:2)
Writing the password probably isn't as smartest way to save it but lets be realistic, nobody can remember a 26 character password.
You can't remember a sentence?
Re:Thats the least of their problems. (Score:5, Funny)
"Your password has expired"
"Your password is too similar to your last password"
"Your password much be entirely different than the previous 50 passwords"
Re:Thats the least of their problems. (Score:5, Informative)
You laugh and mock, but the last head of IT we had, had us on 14 day rotating passwords. After 2 months he got canned.
Re: (Score:2)
Re: (Score:2)
Of course he got canned! You're supposed to change passwords every 30 seconds!
Re:Thats the least of their problems. (Score:4, Funny)
I'm surprised he didn't get assaulted in the parking lot after a month.
Re:Thats the least of their problems. (Score:4, Insightful)
Use a memorable quote, a poem a song lyric, whatever phrase you can remember easily. Use the first letter or two from each word, swapping case and substituting punctuation marks/numbers as needed. Finally, a use for 1337-5p34k!
Example -
Whose woods these are I think I know.
His house is in the village though;
Becomes - wh wo ar th i th i kn ki ho i i th vi th
...and this is why I don't like this technique - you didn't even get it right in your example!
wh wo th ar i th i kn hi ho i i th vi th
Re: (Score:2)
The correct rule is to protect the password at the same level of security as the data you access with that password.
So, writing down a password on a post-it on your desk is not appropriate if you wouldn't do the same with the most sensitive item of data on your computer or network.
Similarly, if you have a sensitive network and a not-so-sensitive network, writing your sensitive-network password into a file stored on your not-so-sensitive network is a bad thing. This includes putting it in an encrypted file
Passwords (Score:5, Insightful)
Nothing wrong with writing down your long complex passwords..... UNLESS YOU LEAVE IT LAYING AROUND
The complaint read like a spy novel.... A ready-made Bourne script!
Re: (Score:2)
Bourne would never have been this stupid!
Everyone trying to catch him on the other hand
Re:Passwords (Score:5, Insightful)
Here is my point: if you do something that causes the FBI to monitor your every move and scour your home for clues for over 10 years, it is going to be very hard to keep many secrets, regardless of how you configure your WiFi or whether you try to memorize random 27 character passwords.
Seems like they doing this on the cheap? (Score:2)
Seems like they doing this on the cheap? acting dumb? stolen parts?
Well this just proves (Score:5, Interesting)
Re:Well this just proves (Score:5, Interesting)
the incompetent can be easily caught. Perhaps these were even decoys for the competent operation still running.
Took the words right out of my mouth. You'll never know if you have a real competent spy around. Those Russians are very shrewd when it comes to this. Many years ago a US statesman was given a "gift" -- a wood carving supposedly made by children -- when he went to Russia. When he got back, he hung it up in the very conference room, he hung the thing up on the wall.
Over time, they noticed that discussions were slipping out of the room to the Russians, so they had the room checked for bugs. They could find nothing. And yet secrets still kept slipping.
They eventually checked the "gift" -- turned out it had a passive resonant circuit attached to a capacitor that had a diaphragm modulated by sound. How it was activated? Externally by a radio source at 300 MHz. It was quite ingenious, because there were no electronics as such-- just a tube with the diaphragm attached at the end.
The US guys couldn't figure it out, so they consulted British scientists!!! Can you believe that? Man, how stupid the US gov can be sometimes.
Re:Well this just proves (Score:5, Informative)
That seal is hanging at the NSA museum. If you go there, you can open it up and see the microphone. Pretty neat.
http://www.nsa.gov/about/cryptologic_heritage/museum/virtual_tour/museum_tour_text.shtml
look for "great seal"
Re: (Score:3, Funny)
I know! It's just the same with the half-dozen ninja assassins lurking in my apartment!
But they're there. I can feel it.
Re: (Score:3, Informative)
To be fair, it might have been just as well made by children - at least when it comes to visible parts ;p
Also, the seal device was actually hung on a wall in Soviet Union, by the US ambassador there. The interesting part made by no other but...Theremin.
Re:Well this just proves (Score:5, Informative)
Re: (Score:3, Funny)
> The US guys couldn't figure it out, so they consulted British scientists!
Truly dumb. I wouldn't have even needed scientists--I would have started with the question "So, have you gotten any gifts from any Russians recently?"
Re: (Score:2)
Uh, "how stupid the US gov can be sometimes..." I'd not us that for this instance where hindsight is 20-20 whole figuring out on of the first passive resonators is really hard.
Now, the CIA figuring out that Russia was exiting Afghanistan 9 months after Russia held a press conference saying they were leaving Afghanistan, that's stupid. And, that's form a book written by a previous CIA director to trumpet their successes.
Re: (Score:2)
Yeah, they don't tend to fall for the "Simon says put your hand up if you're a spy" approach.
Re: (Score:2)
the incompetent can be easily caught. Perhaps these were even decoys for the competent operation still running.
This sounds like the plot to Spies like Us
Re: (Score:2)
This sounds like the plot to Spies like Us
Sounds like Sleepers. http://en.wikipedia.org/wiki/Sleepers_(TV_series) [wikipedia.org]
Use passphrases (Score:5, Interesting)
Re: (Score:2)
That's an even worse solution. Do you really think end users are going to be willing to type a 200 letter phrase in instead? We use passwords for a reason- its as much as most people are willing to type before becoming annoyed.
Re: (Score:2)
That's an even worse solution. Do you really think end users are going to be willing to type a 200 letter phrase in instead? We use passwords for a reason- its as much as most people are willing to type before becoming annoyed.
You, sir, have outdone yourself, even for slashdot standards. A passphrase is NOT "a phrase as a password", but rather a phrase as a mnemonic for your password.
Example:
Passphrase: 100 quick clicked commentors barely read Slashdot each day!
Password: 100qccbrSed!
I'll leave it to you to figure the magic out.
Re: (Score:2)
A pass phrase is not that bad of an idea. It does not have to be 200 chars long, but a few words that mean something to you stringed together. If nobody can see you type it, then they will have no clue its a pass phrase. If they see you tap space every 4-7 chars they will figure it out.
For a while, I used the phrase "I am the administrator!" for my workstation admin password. 23 very easy characters to remember. It is such a simple password to remember and hard to guess.
Re: (Score:2)
That's an even worse solution. Do you really think end users are going to be willing to type a 200 letter phrase in instead? We use passwords for a reason- its as much as most people are willing to type before becoming annoyed.
Yes. Assuming I'm an "end user" - I've been in I.T. for 13 years and still haven't quite figured out why the word "end" is put in front of user.
Anyway ...
I use passphrases for everything that will take something more than a short-digit PIN. My favorite is 27 characters long. At work I cull my memory for a passphrase, use that, and recall it much quicker than a coworker who enters part of the previous password, hits the backspace button, and mumbles "Now what was my new password again?" By the time he's don
Re: (Score:3, Interesting)
Is that a joke? (Score:2)
Passphrases are not harder to brute force. In general if you have 26 random characters its hard to brute force.
Re: (Score:2)
Passphrases are not harder to brute force. In general if you have 26 random characters its hard to brute force.
Passphrases encourage the use of numbers, capitalization, longer passwords, and punctuation. If the common password is all lowercase letters and maybe digits, your looking at a search space of (26+10)^k for a password of length k. If you throw in the 30 or so punctuation marks, and capitalization, the search space is (26+26+30)^k for the same length of password.
Given that so many people use lowercase+digits passwords, I'd be inclined to think that anyone brute-forcing a bunch of passwords would stick to
Re: (Score:2)
Passphrases are not harder to brute force. In general if you have 26 random characters its hard to brute force.
If you don't follow correct grammar, you can make a secure passphrase that's easier to remember than 98jn339ejnT#T*j#fe8#wf#F. /usr/share/dict/words` (98569), so with 8 random words, you've got 8^98569 possibilities. Of course, to follow a sense of grammar (even bad), you reduce tha
Assume a character set of 256, that means with 8 random characters, you've got 8^256. 8 random characters is tough for some people to handle. With passphrases, if you allow only english, you've got a "character" set of `wc -l
Re: (Score:2)
"But people aren't random number generators."
Nope, but accounting trolls are, according to dilbert!
https://mywebspace.wisc.edu/lnmaurer/web/rng_stuff/Dilbert0001.jpg [wisc.edu]
Re: (Score:2)
Remembering random strings isn't that hard, it just takes time. People's heads are crammed full of random bits of data (pieces of bank account numbers, random login names you've been assigned, etc.) Instead of using a 20 character string as a password and trying to remember it straight away, generate four 5 character strings, write them down and recite them a couple times a day every day for a couple of weeks. After you're so sick of them you could recite them in your sleep eat the piece of paper and combin
Re: (Score:2)
Re: Use passphrases (Score:2)
Re: (Score:2)
What hole are you living in that you don't recognize that as a song lyric [lmgtfy.com]?
Re: (Score:2)
Two words: (Score:2)
Re: (Score:2)
This is mine:
"There's nothing more useless than a passphrase based on a quote."
(One Quotation-Dictionary Attack Later)
ALL YOUR BASE ARE BELONG TO US!
Re: (Score:2)
Re: (Score:2)
Pretty useless.
"Did I put the 4 first or the 7? and what the fuck was between years and ago?"
Guaranteed to forget the details in 2.4 months.
Re: (Score:2)
I like the pronounceable passwords generated by GNU Keyring on my ancient PalmOS device (a Handspring Visor).
It produces things like: biaf2cik3eg
Sure, it's a limited keyspace. But it's far easier for me to remember the sound of the password while I wait around for muscle memory to remember the keystrokes for me. But the sequence of keys is also similar to those used in normal writing, so I find that muscle memory remembers these pretty quickly. And, being consciously remembered as a sound also makes it
they were just make it look ... (Score:2, Funny)
they were just make it look like you standard network, so they do not arouse suspicion ..... ;-)
they're not spies, they're defectors (Score:5, Insightful)
they put on the bare minimum effort to convince the kgb they're still on the team (so they don't get any polonium in their tea)
then they dig up their free bags of money in sullivan county, and get on with their average suburban wannabe lives. when the kgb calls, they find a paranoid schizophrenic's blog and rivet their kgb bosses with useless tales of intrigue from the wild west. this spy ring is a joke
if you want to talk about modern life destroying cherished traditions, add this to your list: comfortable suburban living killed james bond
Re: (Score:2)
Or they have connections who got them their cushy US layabout jobs.
The net history of espionage is like the net profit history of the airline industry. Comes out to about zero on balance (going back to the Wright Brothers, or so they say). But in espionage, even though the topmost levels of the U.S. and British and probably Soviet spy agencies were infiltrated over and over again, I guess there is some argument you can't just unilaterally disband them unless the other side does too.
Re: (Score:2)
they put on the bare minimum effort to convince the kgb they're still on the team (so they don't get any polonium in their tea)
then they dig up their free bags of money in sullivan county, and get on with their average suburban wannabe lives. when the kgb calls, they find a paranoid schizophrenic's blog and rivet their kgb bosses with useless tales of intrigue from the wild west. this spy ring is a joke
if you want to talk about modern life destroying cherished traditions, add this to your list: comfortable suburban living killed james bond
Seriously? You think Russia would put polonium in their tea? On US soil? I know the guy you are talking about so it does happen but I don''t think Russia would dare do that. That being said I agree the spy ring does look to be a joke and I'm not sure why there is such a big deal about this considering they were an unsuccessful ring.
They weren't all full of shit because some of them (the Chapman female) seemed to have some real skills.
they did it on british soil (Score:5, Informative)
http://en.wikipedia.org/wiki/Poisoning_of_Alexander_Litvinenko [wikipedia.org]
if they have no problem doing it on british soil, what would stop them from doing it on american soil?
Re: (Score:2)
Exactly. And those are only the assassinations that we actually know about.
Re: (Score:2)
Hah, it had to be circletimessquare -- oh how I miss Kuro5hin and this kind of out-of-the-box thinking that used to come up there so often from you and the rest of the people. Too bad the place was filled with trolls to the point of unusability the last few times I tried to return.
Re: (Score:2)
Re:they're not spies, they're defectors (Score:5, Interesting)
then they dig up their free bags of money in sullivan county, and get on with their average suburban wannabe lives. when the kgb calls, they find a paranoid schizophrenic's blog and rivet their kgb bosses with useless tales of intrigue from the wild west. this spy ring is a joke
I thought that was pretty obvious.
The very first article [guardian.co.uk] I read about the bust contained this suppossedly intercepted message:
"You were sent to USA for long-term service trip. Your education, your bank accounts, car, house, etc - all these serve one goal: fulfill your main mission, ie to search and develop ties in policymaking circles in US and send intels (intelligence reports) to C (Centre)," an intercepted message said according to the indictment.
It sounds like the kind of exposition you'd hear in a hollywood movie when the writer wants to explain background to the audience, not the kind of thing a real spy handler would ever write -- unless he was super pissed that his spies had just taken his free money and run off with it.
Hey these were language, not IT, experts (Score:2, Insightful)
These Russian spies could have wrote their own. (Score:2)
They could have wrote their own steganography applications. Any known steganography application is probably also known by law enforcement and useless. The success or failure of steganography is based on the fact that the actual use of it and the type of it remains secret. When it's known then it's useless. It's very much like encryption where the key has to be kept secret or the encryption is worthless because the security of the scramble is the randomness of the key.
Let's just say it, these spies didn't kn
Re: (Score:2)
No, the whole point of steganography is that you use it to avoid provoking suspicion i
The key question: did they run Linux? (Score:5, Interesting)
And if so, is that good or bad?
If spies can't even get it right (Score:5, Interesting)
I'm an IT director at a mid-sized company in the US. I've worked hard to educate top executives on security issues, and to encourage them (it's hard to force a CEO or CFO to do anything) to use best practices. I've experienced a lot of resistance.
Most companies think of IT, and security in particular, as an afterthought, if at all. Our CEO, who is responsible for active contracts that are worth tens of millions of dollars, and who has very sensitive financial data and intellectual property on his laptop, balked when I told him I did not want to know his password. He'd ask me to fix a problem with his machine, and be bothered by the fact that I would ask him to type in his password himself when I needed it. Eventually I gave in and started typing it in myself. Apparently it's an open secret from middle-management up. He uses the same password for everything, and all of the privileged managers know what it is. What if one of us quits or is fired? I imagine he uses the same password for his online banking as well. It's a big risk. He travels internationally on a regular basis. Having 20 people that know the password to all of your accounts. . . well, that scares the shit out of me, but it doesn't seem to bother him.
And I get the sense that most people, whether they work in espionage or in the private sector, see security as more of an annoyance than anything else. That is, until a breach happens. When that happens, the IT department is blamed.
In those situations, "I told you so," is not an acceptable response. When bad things happen, heads roll. I'm afraid that despite my most strenuous efforts to encourage best practices for top executives, my head will one day be on the chopping block for one of their mistakes.
Sorry to post anonymously (it's the first time I have!), but other folks in my department read
Re: (Score:3, Insightful)
"I'm an IT director at a mid-sized company in the US [...] Our CEO [...] He'd ask me to fix a problem with his machine"
You *think* you are an IT director, but you are the mop guy.
At least that's what your CEO thinks, and that's all that counts.
go low tech (Score:2, Insightful)
Well what this really all just means is that the.. (Score:2)
.... terrorist threat is just not working very well anymore, so its time to remake an old threat....
But this time its really a lot more like "Spy vs. Spy" as found in MAD magazine.
Re: writing passwords on slips of paper (Score:4, Interesting)
Funny (Score:2, Funny)
If they had just called themselves a business intelligence and consulting service for foreign investors, they wouldn't have any problems.
And if you call yourself a lobbyist you can even funnel money from foreign governments into your congressman's pocket.
Obligatory Rock & Bullwinkle Reference..... (Score:2)
This whole thing reads like an episode of Rocky & Bullwinkle.
Boris Badenov: "Everything going fine until Moose and Squirrel!"
Natascha Fatale: "What you mean, dear?"
Boris Badenov: "Everything working fine until we get laptop with Windows!"
Fearless Leader: "First Chernobyl, then Kursk, NOW OUR SPIES!"
Natascha Fatale: "Dahling, least not Moose & Squirrel this time....."
Re: (Score:2)
'mon Apple Developers..... no App for that? :-)
Just like porn, Steve Jobs recommends you use Android for that.
Re:Spying? There's no App for that?! (Score:5, Funny)
Re: (Score:2)
Re:I find this entire story to be a load of shit (Score:4, Insightful)
But what if it is true? Likely, it is, actually. Every country spies on other countries. I don't really see the US getting completely bent out of shape over it, it was a 10 year investigation. What was more important was tracking them and finding out who in the US was helping them. But spies come and go, but spying is a constant.
Re: (Score:2)
Why arrest them in a big show though? Usually spies are expelled not arrested.
Re:I find this entire story to be a load of shit (Score:5, Interesting)
Unlike typical spies with foreign diplomatic cover, these alleged "illegals" cannot just be summarily expelled back to their home countries. Any act against them requires due process, the first step of which is pressing charges.
The lack of diplomatic cover also means they are not protected from any charges that may stick. Spying without diplomatic cover is a very risky game. It makes this case all the more interesting.
Re: (Score:2, Funny)
Re: (Score:2)
Why arrest them in a big show though? Usually spies are expelled not arrested.
If you were leading a TEN YEAR investigation, wouldn't YOUR office be demanding some publicity at the end of it to justify ten years of spending on your salaries, the investigative costs and so forth?
The best way to deflect a financial inquiry is to point at the TV where your "heroes" are out there making your country safe.
*sips coffee*
Re:I find this entire story to be a load of shit (Score:5, Funny)
The United States gets very offended by espionage activity, because we would never do it to anyone else. They promise. Not a single satellite [wikipedia.org]. No high altitude spy planes [wikipedia.org]. No high altitude long range supersonic spy planes [wikipedia.org] (we retired all of these, we promise). No remote control spy planes [wikipedia.org]. No flock [cia.gov] of [dia.mil] agencies [nsa.gov] with covert operations world wide. Nope, not the US. Keep your spies out of our country, we don't do it to you.
Excuse me, there are a couple nice men in black suits knocking at my door that just want to ask me a few questions.
Re: (Score:2)
It must be ok if filthy liberal commie places [europa.eu] have a problem with all that stuff.
Re: (Score:2)
That's those damned foreigners. Us Americans are the shining example of how to do things right. If Ms. Manners had to pick a government to say others should act like, it would be the fine United States of America.
(I hope everyone can read my sarcasm in these posts)
Re: (Score:2)
Re: (Score:2)
The Israelis that depend upon us for support are spying on us.
That's precisely why they're spying on you - because they have a strong dependence on your support, and therefore knowing if and when it may possibly weaken or be terminated is crucial for their national security.
Re: (Score:2)
The electronic ones are the obvious ones. Well, the ones that are public knowledge. I know of a few other routes that they're done by, that are not necessarily public knowledge. Well, given to me as "This is probably still classified, so I can't tell you all of it, but...."
They were told to me for the sake that they were technologically and historically interesting. Through other means, more information was gathered on them to confirm that they were real. I'll suffice it t
Re:Slower than a onetime pad (Score:5, Interesting)
Makes me think that Russia had already abandoned these people. They knew the FBI were on to them and cut down on support to limit damage to other parts of their network.
Re: (Score:2)
Re: (Score:2)
Who said anything about it having to be a language? That seems like it would be even more difficult than writing a script and distributing the CD. The script could handle everything. It could be written in python, java, perl or any other language.
You would think a country like Russia would have some top notch programmers. All this talk about cyber warfare and hackers trained by the Russian government and they can't write code? I don't believe it.
Re: (Score:2)