Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Government

New NSA Leak Exposes Red Disk, the Army's Failed Intelligence System (zdnet.com) 67

Zack Whittaker, reporting for ZDNet: The contents of a highly sensitive hard drive belonging to a division of the National Security Agency have been left online. The virtual disk image contains over 100 gigabytes of data from an Army intelligence project, codenamed "Red Disk." The disk image belongs to the US Army's Intelligence and Security Command, known as INSCOM, a division of both the Army and the NSA. The disk image was left on an unlisted but public Amazon Web Services storage server, without a password, open for anyone to download. Unprotected storage buckets have become a recurring theme in recent data leaks and exposures. In the past year alone, Accenture, Verizon, and Viacom, and several government departments, were all dinged by unsecured data.
This discussion has been archived. No new comments can be posted.

New NSA Leak Exposes Red Disk, the Army's Failed Intelligence System

Comments Filter:
  • Whatever happened to the DoD Orange Book levels? I would have thought that they'd have mandatory protection on all their data.

    A.

    • by ShanghaiBill ( 739463 ) on Tuesday November 28, 2017 @02:15PM (#55637799)

      Nearly all classified information is mundane garbage that nobody cares about. This "red disk" is a good example. TFA says it contains "sensitive information" but fails to list a single item of any significance.

      I had a "secret" clearance for decades, and I would regularly see classified reports about stuff that had been in the newspaper months before. Even more ridiculous, some of these reports were reporting that a newspaper had reported on a report that was not supposed to be reported on.

      More than 5 million Americans have security clearances. There are huge warehouses and data centers filled with "secrets". Meanwhile, our national debt is $20.5 trillion dollars.

      • by gnick ( 1211984 )

        I had a "secret" clearance for decades, and I would regularly see classified reports about stuff that had been in the newspaper months before. Even more ridiculous, some of these reports were reporting that a newspaper had reported on a report that was not supposed to be reported on.

        I had a DoE Q clearance for a little over a decade with SCI for part of that. I did see information that was classified published publicly. I also saw information published publicly that would have been classified if it was accurate. Confirmation of the information, true or false, was classified as it should be.

        Nearly all classified information is mundane garbage that nobody cares about.

        I'll agree with that, but there are very important exceptions.

        • Nearly all classified information is mundane garbage that nobody cares about.

          I'll agree with that, but there are very important exceptions.

          Indeed. But of course as a Q Clarence guy, you know that 1000 little pieces of "mundane" but related secrets equals one very interesting not so mundane secret...

  • by Anonymous Coward

    Link where?

  • Remind me (Score:5, Insightful)

    by 93 Escort Wagon ( 326346 ) on Tuesday November 28, 2017 @01:55PM (#55637669)

    The people managing this data are the same ones many politicians think should be given a master key to all of our sensitive personal information, right?

    • Unmanaged (Score:5, Interesting)

      by DarthVain ( 724186 ) on Tuesday November 28, 2017 @02:17PM (#55637821)

      More likely it was a bunch of contractors involved in a particular project that was unsuccessful and abandoned, leaving it "unmanaged". With the project over, and no people around that was involved anymore, probably no one even knew it it was out there. This is a common problem for large organizations that try to minimize the amount of IT staff on-hand, and outsource everything externally (not the leak necessarily, but the apparent lack of institutional awareness/knowledge). However on the books it looks like the employee footprint is smaller, which I guess is the point.

      • More likely they just hired idiots. If the s3 bucket was ever managed at all it should never have been exposed without some access management in place. Amazon doesn't even make it hard.

      • by swb ( 14022 )

        It seems more likely that abandoned projects would have lost/forgotten passwords, not zero security at all on cloud services.

        I get passwords set to "password" or blank for internal-facing only systems, I see that about once in a while when I end up confronting mystery systems at clients. But most of the time the problem is nobody knows what the password is.

      • According to TFA, the developer of this system was a contractor and seeing as how the DoD wouldn't just use Amazon Cloud Anything for servers running sensitive data, it's reasonable to assume it was a contractor who did this.
      • So in other words it was exactly the people who would handle the master keys.
      • by Turmio ( 29215 )
        Sure, the cache may've been abandoned by a contractor, but still that does not change the point of the original question at all if you think about it a bit.
  • ...

    New NSA Leak ...

  • Intentional? (Score:5, Insightful)

    by IMightB ( 533307 ) on Tuesday November 28, 2017 @02:10PM (#55637775) Journal

    Seriously... In this day and age, do you really think that this is an accident? Unless more info is know, I'm inclined to believe that this is fully intentional, and any idiot that attempts to run this software is going to get what he deserves.

    • by AHuxley ( 892839 )
      Think like the US gov, contractors and mil.
      Its the 1950-70's. Vast amounts of data is been collected in real time globally. Total encryption would slow down translation and searching.
      What to do with all that data been kept on a secure base? Keep it in plain text so everyone with the correct clearance could read, search the globally collected material. From any other base or agency in the USA. While the UK was still sorting paper work and index cards the USA had real time, networked digital searching
  • It's a trap!
  • Keep hiring consultants that take no ownership and inexpensive college guys then keep wondering why bad things happen.
    • That's not really the issue. The real issue is that it is all brought to you by the lowest cost bidder... There is a reason that many of these are the lowest cost bidder, because they are not paying to have real talent in their company to provide those services (as the real talent costs much more to hire and would not be anywhere near the lowest cost). As such, you get people who make mistakes like this.

      On the flip side, it is very difficult to quantify and otherwise rate the benefits of the various contra
  • ... if he'd just put his info up anonymously this way. But instead he wanted to make sure there was journalistic curation by mejoro media orgs to limit info to stuff that proved his point about legal violations by NSA and other govt branches.
    Have to think he's bitter now.

  • by chill ( 34294 ) on Tuesday November 28, 2017 @02:51PM (#55638089) Journal

    http://www.jklossner.com/humannature/ [jklossner.com]

    John Klossner hit this on the head back in 2006.

  • I vaguely remember seeing references and a diagram of Red Disk. As a data point, in general the communities will keep extending projects outwards along the same naming dimension, so expect programs named "gold disk," "blue disk," etc.

    Projects actually never fail in the way you'd think. Everyone learns a whole lot, then moves on to the next iteration.

    Red Disk itself was one of the first attempts at what's now called a data lake, I think. You can probably dig it out of google if you cared. There were one or t

  • Next thing you know someone will leak more photos of the sound stage where they filmed the moon landing.
  • Consider the possibility that this is information/disinformation they WANT to be out, without the responsibility of actually releasing it. Just a thought.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...