how many WS3 vaults are there on Voikel ab?
May 28, 2021 7:44 AM   Subscribe

Researchers at Bellingcat have discovered US soldiers exposing nuclear weapons secrets... via free flashcard websites. The flashcard sets "identify the exact shelters with “hot” vaults that likely contain nuclear weapons [and] intricate security details and protocols such as the positions of cameras, the frequency of patrols around the vaults, secret duress words that signal when a guard is being threatened and the unique identifiers that a restricted area badge needs to have."

How were they discovered? "Simply searching for “PAS”, “WS3” and “vault” on Google together with the names of air bases in Europe."
posted by adrianhon (48 comments total) 43 users marked this as a favorite
 
Somebody set us up the bomb.
posted by chavenet at 7:51 AM on May 28 [55 favorites]


“secrecy about US nuclear weapons deployments in Europe does not exist to protect the weapons from terrorists, but only to protect politicians and military leaders from having to answer tough questions

Basically the primary reason for most security protocols. Everybody knows, they just don't want it published on metafilter.
posted by sammyo at 7:53 AM on May 28 [8 favorites]


This is awful -- and yet it is less terrible than what I thought it was when I read the FPP. I thought the implication was that radicalized soldiers were posting the code in order to give right-wingers or a hostile nation access to a nuclear missile to hold at Biden's throat. Thank goodness it is ordinary dumbassery.

Man, the future eats.
posted by Countess Elena at 7:55 AM on May 28 [13 favorites]


Yeah, it took me a while to understand that this wasn’t soldiers cleverly exfiltrating data , they’re just studying for their certifications.

On the plus side, we’ve identified a market opportunity for anyone who wants to hack together a military-grade flashcard web app!
posted by ook at 8:00 AM on May 28 [12 favorites]


Imagine being the person contacted on the flashcard-site side. You're running some free, ad-supported setup, and then you get a very stern "You need to delete these sets. Posthaste. And those might not be all, so you need to make sure you're not in possession of nuclear secrets." from the USDoD.
posted by CrystalDave at 8:11 AM on May 28 [10 favorites]






once again the students werent. fucking. listening

i said, as a faculty member, i wanted to "nuke chegg into steady orbit" not "use chegg for your nuke study bit"
posted by lalochezia at 8:19 AM on May 28 [27 favorites]


You won't believe what you'll find if you search that site for "Utah, Omaha, Gold, Juno and Sword."
posted by Mr.Know-it-some at 8:26 AM on May 28 [2 favorites]


Kara Swisher, on her SWAY podcast, interviewed one of the founders of Bellingcat. It is a worthwhile listen. Thanks for posting this!
posted by zerobyproxy at 8:41 AM on May 28 [6 favorites]


Question is, is MUNSS missing the first or second S?
posted by IncognitoErgoSum at 8:43 AM on May 28 [9 favorites]


And I happened to recently catch Fresh Air interviewing the Bellingcat founder. They talk through the process they used to identify Russian soldiers present in Ukraine using the same inductive, follow-the-clues type approach that this article demonstrates.
posted by mmascolino at 8:44 AM on May 28 [8 favorites]


You'd think that NATO would have people whose job it was to investigate what technologies their personnel use (in or adjacent to their work) and make sure that there are secure alternatives provided so that stuff like this doesn't happen.
posted by acb at 8:48 AM on May 28 [2 favorites]


This is a similar issue to that payment app that certain Florida politicians and public servants used to (inadvertently) document their crimes. In that it's an app that makes your data public (and searchable) by default for no particularly good reason and without clearly communicating that to the user. And most people are not sufficiently web-savvy to even think to worry about this (because they're thinking about the app from the user perspective, and from the user perspective there's no good reason to design a system like that, so why would you think to worry about it?).

Every year for the past two decades, some prognosticator or other has been telling educators that the current batch of students are "digital natives", but friends, from direct observation, this is really, really not the case. I don't teach anything involving sensitive state secrets or anything, but I should still probably start including a regular blurb in my course materials giving students a heads up about online privacy on these sorts of study apps.
posted by eviemath at 8:54 AM on May 28 [27 favorites]


make sure that there are secure alternatives provided so that stuff like this doesn't happen

the article mentions the soldiers were supplied with crayons, but turned to the flashcard site after those were consumed
posted by ryanrs at 8:59 AM on May 28 [21 favorites]


This is awful -- and yet it is less terrible than what I thought it was when I read the FPP. I thought the implication was that radicalized soldiers were posting the code in order to give right-wingers or a hostile nation access to a nuclear missile to hold at Biden's throat. Thank goodness it is ordinary dumbassery.

Hanlon's Razor strikes again.

But I gotta say, even for someone with as low an opinion of the armed forces as me, I was not expecting this level of stupidity across the board. None of the enlisted schmucks thought to wonder how their free flash card app was monetized? And no one higher up the chain of command thought to lock down app store access?
posted by Mayor West at 9:03 AM on May 28 [1 favorite]


I am 1000% unsurprised by these problems.

The tools behind secure curtains are very frequently generations behind what the offerings are to consumers at large. Usability, flexibility and capability are major problems with secure software. Even Obama famously refused to give up his Blackberry because the secure phones at the time were so so aweful (in 2008, BBs really were very nice phones).

Google Drive, Dropbox etc... in particular are major security holes, but often unavoidable ones because internal storage and email limitations are so severe. Often it's about trading off one bad option for a worse one. Or simply deciding that the job doesn't get done on time.
posted by bonehead at 9:06 AM on May 28 [15 favorites]


I manage tooling in a large org and here’s a pattern I’ve seen a lot:

* people sign up for free tier accounts on Trello or other useful apps. These have no company control or single sign-on. There’s no way to disable access when people leave the firm, and no way to prevent sharing with non-company accounts.
* company investigates Enterprise versions of the apps, which have good security controls, and auditing.
* cost per user of the Enterprise versions is high and company declines to pay for it.
* company suggests users use some crappy or inappropriate tool that the company already has instead.
* people trust themselves and know crappy apps when they see them, so they keep using the insecure free apps.
* eventually, some sort of security breach, maybe.
posted by freecellwizard at 9:09 AM on May 28 [60 favorites]


Bonehead has it. Look at, say, CyberArk (an older enterprise secrets manager) versus, say, LastPass. The former is an unwieldy beast focused on the gatekeepers; the latter helps the end users in a pretty usable way.
posted by freecellwizard at 9:13 AM on May 28 [6 favorites]


You'd think that NATO would have people whose job it was to investigate what technologies their personnel use (in or adjacent to their work) and make sure that there are secure alternatives provided so that stuff like this doesn't happen.

Government IT spending is extremely slow (on purpose) and the money available is quite limited (on purpose). Worse, systems are often specified in obtuse and ridiculous ways by managers who do not understand the problem domains very well and implemented by amoral contract organizations that will implement exactly what is specified knowing that they will be paid follow on contracts for years fixing all the mistakes made in the original design. See CGI Federal for a prime example.

But I'm not bitter and haven't been forced to accept delivery of a complete waste of a quarter-million dollar contract for a database that was specified on a napkin and never used for any purpose. It was Top Secret complaint and ticked every box of the spec though.

Honestly , when the right IT people are given the resources to do their job right and management doesn't have time to interfere, government IT people can do miracles. What's happened in the past year, lead by the grunts on the ground is absolutely transformative. They know what is needed and they're delivering amazingly well, beyond any expectation. The usual project managers however, are completely out of the picture.

And these systems, rushed out in months using COTS primarily, have in incredibly short timelines replaced stalled initiatives that have taken years to get to 10% success levels. I think there's a major lesson for government project procurement in the future.
posted by bonehead at 9:18 AM on May 28 [15 favorites]


"digital natives", but friends, from direct observation, this is really, really not the case

"Digital native" = "accepting their digital environment as both natural (rather than consciously constructed) and beyond their control"

The kids growing up in these walled gardens may be really good at using the provided gardening tools, but they don't build new tools or wonder what's past the walls, or who made them.
posted by praemunire at 9:20 AM on May 28 [36 favorites]


I think there's a major lesson for government project procurement in the future.

"Never waste a disaster"?
posted by clew at 9:21 AM on May 28


This is all par for the course.

Nuclear weapons are an obscenity.

The resources the USA expends on its military is an obscenity.
The resources the USA expends on education is curious.

(don't want to get all nationalist, tbh. I'm Australian and I gather our govt is working very hard on generating an apocalypse, because, umm, god and pentecostalism and that. Better to get a powerful ally to kill everyone ever than lose a trade-war or whatever)
posted by pompomtom at 9:23 AM on May 28 [3 favorites]


The US government threw Chelsea Manning in prison for revealing less dangerous information than this.
posted by Bee'sWing at 9:27 AM on May 28 [25 favorites]


Chelsea Manning is a fucking hero. I can't even work out an equivalency.
posted by pompomtom at 9:30 AM on May 28 [12 favorites]


You won't believe what you'll find if you search that site for "Utah, Omaha, Gold, Juno and Sword."

Well, good thing we're not planning to invade Normandy, then.

Or are we?
posted by TheWhiteSkull at 10:01 AM on May 28 [2 favorites]


During the Cold War, they built entire cities, with cinemas and churches and soda fountains and baseball diamonds and such, inside hollowed-out mountains behind blastproof doors. The digital native version of this would be to build an entire secure version of the internet, with cloud office applications, flashcard apps and fitness trackers (which were a security issue not that long ago), online gaming deathmatch arenas, and those gimmicky quiz apps you use for breaking the ice at meetings, entirely in a secure military cloud, behind a perimeter, and instruct personnel that this is what they are to use whilst posted. This should be doable; a lot of applications already have enterprise versions which deep-pocketed clients can licence and put within their firewalls, and companies such as Google, Slack, Zoom and such should be amenable to striking a deal, and as for flashcard apps, surely the Pentagon could either throw money at the developers to share their code or else fund equivalents.
posted by acb at 10:06 AM on May 28 [3 favorites]


LOOSE FLASHCARDS SINK SAFEGUARDS
posted by Rhaomi at 10:10 AM on May 28 [40 favorites]


The resources the USA expends on education is curious.

For the record, the U.S. spends more on primary and secondary education than most countries (e.g., about $2,300 more per student than Australia); Relative to national income, we're pretty typical. And we spend way more than average for post-secondary education.

However, because education is generally a local responsibility, there is huge inequality in school funding. And I believe that the share of the costs of post-secondary education paid by students is much higher.

As usual, it's not that we're spending too little overall, but that the spending is unequal and often inefficient.
posted by Mr.Know-it-some at 10:43 AM on May 28 [9 favorites]


I'm sure that this is what it looks like at first glance, but it would be pretty funny if NATO was using Chegg as a simple, elegant way to distribute disinformation about military installations.
posted by evidenceofabsence at 10:44 AM on May 28 [4 favorites]


The digital native version of this would be to build an entire secure version of the internet

Well, A) the internet was their idea to begin with. B) they have one. C) nobody likes it because the consumer internet is more user friendly.
posted by pwnguin at 10:54 AM on May 28 [6 favorites]


So American decentralization and half-hearted investment in public services hamstring education just as much as it does to healthcare despite lavish spending? Quelle surprise.
posted by Apocryphon at 11:46 AM on May 28 [4 favorites]


make sure that there are secure alternatives provided so that stuff like this doesn't happen.

these exist. powerful people choose not to use them, with no repurcussions.

build an entire secure version of the internet, with cloud office applications, flashcard apps and fitness trackers (which were a security issue not that long ago), online gaming deathmatch arenas, and those gimmicky quiz apps you use for breaking the ice at meetings, entirely in a secure military cloud, behind a perimeter, and instruct personnel that this is what they are to use whilst posted.

nipr, sipr, jwics, the og internet.

govcloud, the new hotness. it's just 20 years or so behind commercial.

the answers are pretty easy. the institutional inertia is cray.

also, consider that you can't be a cleared IT expert or software engineer if you smoke up, or work remote, or have bad credit, or a modern love life. huge technological impact of shitty sociological constraints.
posted by j_curiouser at 12:17 PM on May 28 [6 favorites]


It’s looking more and more like ARPANET will have the biggest blowback of any U.S. defense department project ever.
posted by TedW at 12:49 PM on May 28 [2 favorites]


Bonehead - yep, you've nailed it. Can't agree more about IT projects though my experience is state government. I recently left and am blown away at how uncontrolled my access is to devs now compared to in govt wk.

No 6 layers of PM/BA/leadership review/middle management meddling/sticky fingers/ scheduling/cost forecasting just to describe a need, hear an estimate of resource need and go about getting mgmt approval to do that thing.
posted by esoteric things at 2:14 PM on May 28 [1 favorite]


also, consider that you can't be a cleared IT expert or software engineer if you smoke up, or work remote, or have bad credit, or a modern love life. huge technological impact of shitty sociological constraints.

The viable objective then would not be “a version of _, only reimplemented in Ada by an all-Mormon team of consultants at a defence contractor” but “literally _, licensed and transplanted into a secure cloud/enterprise app store”. That the original developers may have been burners, leftists or non-Americans won't matter as much as they're not being employed by the DoD.

This code would be run in an internal secure cloud, though on a less trusted layer than the secure systems developed by contractors with security clearances, and there'd be mitigations in place. For one, presumably it would not be communicating with the outside world at all.
posted by acb at 2:30 PM on May 28 [1 favorite]




There are reasons why the government procurement rules are what they are. Initially, a response to abuses, then twisting by the abusers to meet their own ends. Reform (not complete abandonment) is sorely needed, but those who create political will through lobbying and donations are quite happy with intentionally endless projects, thanks.
posted by wierdo at 2:51 PM on May 28 [1 favorite]


They talk through the process they used to identify Russian soldiers present in Ukraine using the same inductive, follow-the-clues type approach that this article demonstrates.

This is known as "crowd-sourced" intelligence and Bellingcat is somewhat famous for it.
posted by snuffleupagus at 4:08 PM on May 28


He added that “secrecy about US nuclear weapons deployments in Europe does not exist to protect the weapons from terrorists, but only to protect politicians and military leaders from having to answer tough questions about whether NATO’s nuclear-sharing arrangements still make sense today.”

Whu...whu...whuffo means that?

For four years, I was an EW intercept/operator/analyst. The powers that were had folded my job into a TS/Crypto project that was so well classified--literally a box within a box within a box--that our post commander didn't even know the army troopers in my section were working on a Navy project overseen by a civilian at George G. Meade. We were well aware of what was classified and thoroughly intimidated by our security briefing: disclosures were liable to get you a reservation in Levanworth for ten years per count. Some thirty years after I got out, I found my project on Google, code name and all. I nearly crawled under my desk while I processed that information: it was unclassified!

Okay, time marches on, but indoctrination lingers. Anyhow, my TSC clearance was fairly high, but I knew about and was in awe of the AEC clearances that touched upon some of our stuff.

So, back to the future: these guys had an app that put their classified stuff on Google? Really? Now I find out that this AEC-level stuff is to keep politicians from...doing...whatever?

Geezerhood has left me incapable of understanding youse whippersnappers.
posted by mule98J at 4:33 PM on May 28 [4 favorites]


> So, back to the future: these guys had an app that put their classified stuff on Google? Now I find out that this AEC-level stuff is to keep politicians from...doing...whatever?

More like their training materials, which they are tested on, as I imagine you know. The quote here is describing a NIMBY dynamic by which no politician wants the nuclear missile silos in their backyard, because no constituent wants the bombs nearby. Like, maybe at some point before the subs and orbital nukes European nuclear deployments would be kept secret, and now it stays that way because the Greens have a significant parlimentary standing.
posted by pwnguin at 5:36 PM on May 28 [3 favorites]


I think there's a major lesson for government project procurement in the future.

Not just software, or government, either. Keeping upper management (or revolving-door politicians) entirely hands off the process and just there to a) sign the cheques and b) quick check the supplier isn't a massive scam farm would massively improve pretty much any project you care to mention. Interfering in stuff they don't understand because they have the power to do so is pretty much in the job description though, and for many the graft is intentional, so I'm not holding my breath.
posted by Absolutely No You-Know-What at 12:30 AM on May 29 [1 favorite]


I imagine a few soldiers saying "Are you sure making these flash cards is a good idea?" and fellow soldiers saying, "Sure. We need to learn this stuff, and no one will ever notice." I

Am I making a reasonable guess?
posted by Nancy Lebovitz at 6:38 AM on May 29 [1 favorite]


This is known as "crowd-sourced" intelligence and Bellingcat is somewhat famous for it

To correct myself, make that "open source" intelligence, sometimes abbreviated OSINT in the trade.
posted by snuffleupagus at 7:04 AM on May 29 [1 favorite]


I'm sure there's also an element of a 19-year-old kid not really understanding how the Internet works; he was told not to share this information, so he didn't enter it anywhere except onto his own password-protected computer.
posted by Hatashran at 8:27 AM on May 29 [4 favorites]


you misunderestimate how much 19 year olds know about the web. and how little they give a shit about protecting personal or other info.
posted by j_curiouser at 9:48 AM on May 29 [2 favorites]


you misunderestimate how much 19 year olds know about the web.

Were you replying to Hatashran or to Nancy Lebovitz?

Per my previous comment, Hatashran is on the nose - the majority of 19 year olds really do not understand how the internet works, and likely have never even thought to wonder where something like their flashcard deck in a flashcard app is physically stored and who else could access it. They were just taught (in high school maybe, or if they looked up how-to-study tips online) to use flashcards on one of the many handy and, for most non-top security topics, actually pretty useful online flashcard apps that will shuffle the flashcard deck and help optimize the study experience eg. by dynamically updating how often to show each card based on whether or not the student correctly recalled the detail on the reverse side or other such features. (Some of these flashcard apps really are quite useful and well designed. Likely by folks who never considered "learning national security secrets" as a potential use case for the app.)
posted by eviemath at 11:04 AM on May 29 [2 favorites]


acb, you gotta get an inside view to understand how impossible your suggestions are. not physically, bureaucratically.

there is no amount of licensing that will get commercially developed web apps up to the security standard required. read dodi 8520.2 to see what you're even allowed to run on an internal web server.
posted by j_curiouser at 8:55 AM on May 30


« Older Surviving IDEO   |   really tied the level geometry together Newer »


You are not currently logged in. Log in or create a new account to post comments.