Item in great condition - Would do business again! AAA+++
April 13, 2006 1:37 AM   Subscribe

We have flash drives. Three days after the Los Angeles Times broke the story of the US military secrets for sale at an Afghan bazaar, a reporter for the paper bought ($40) another computer drive sold openly outside the U.S. air base in Bagram, Afghanistan. The 1-gigabyte flash drive holds "what appears to be a trove of potentially sensitive American intelligence data, including the names, photographs and telephone numbers of Afghan spies informing on the Taliban and Al Qaeda, personal snapshots, Special Forces training manuals, records of direct action training missions in South America, along with numerous computer slide presentations and documents marked secret." Most documents are neither locked nor encrypted. But the good news is, some of them can't be opened without a password, and the Army is investigating anyway. (LAT BugMeNot)
posted by PenguinBukkake (58 comments total)
 

posted by PenguinBukkake at 1:39 AM on April 13, 2006


Talk about a false sense of security.
posted by public at 2:06 AM on April 13, 2006


Wow. I hadn't seen this yet. I sometimes get the feeling that the Iraqi fighters have better intelligence on the US forces than we do on them.
posted by sophist at 2:12 AM on April 13, 2006


Obvious outrage aside, what happened to the concept of basic compartmentalization of data? Why is all this disparate data lumped in one space?
posted by Pontius Pilate at 2:12 AM on April 13, 2006


Why is all this disparate data lumped in one space

So it is easy for the officer to access all his stuff?
posted by Meatbomb at 2:39 AM on April 13, 2006


So it is easy for the officer to access all his stuff?

I must have been under the mistaken impression that security is not about convenience but rather about, well, you know...security. I mean, I am not advocating forcing officers to go to twenty different computers to obtain twenty different pieces of information, but the whole shebang on a portable flash drive? Come on!
posted by Pontius Pilate at 2:45 AM on April 13, 2006


One question: No encryption?
posted by Dunvegan at 3:14 AM on April 13, 2006


This is why we will lose this one.
posted by A189Nut at 3:19 AM on April 13, 2006


Sophist: of course they do. If they didn't, there wouldn't still be an insurgency. Their information superiority is their biggest weapon.

A189Nut: We lost at Abu Ghraib. It's just a matter of how many body bags we want to fill from here on in. Bullets are just a symptom of the war for hearts and minds, and that war was decisively lost.
posted by Malor at 3:29 AM on April 13, 2006


Abu Ghraib? Hell no. We lost when supplying and protecting hospitals for the local population wasn't a top priority. All we had to do was that, and aid folks in getting in. Then prioritize the usual utilities (water and electricity).

Iraq was a mess after all those years of sanctions. The mess was an opportunity, sadly missed, to help us look good. That fact goes to both the attitude (evil greedy) and idiocy of those running the show.
posted by Goofyy at 4:28 AM on April 13, 2006


See how easy it is to conflate Afghanistan and Iraq? Sophist started it and y'all followed suit. This happened near Bagram, Afghanistan, not Baghdad, Irag. The war in Afghanistan is so five minutes ago. Our data devices in Iraq are much more secure (i think?)
posted by beelzbubba at 4:42 AM on April 13, 2006


Abu Ghraib was the killing blow. There is no way, after that, that we can credibly present ourselves as "the good guys". If we'd had some serious reckoning about it, going up the command chain, with swift and severe punishment, we might have had a chance, but... we don't work that way.

Because we're *not* the good guys. We're the guys who cover shit up, blame the whistleblowers, pick a few peons to foist the blame on, and try to brush it under the rug.

They know exactly who we are. We are opportunists, and we help them only to the minimum extent possible (well, actually I think we fail to even hit the minimum).
posted by beth at 4:43 AM on April 13, 2006


"But the good news is, some of them can't be opened without a password,"

That's a relief...so until someone figures out the name of the programmers pet or his mother's maiden name, that info is safe!
posted by Liquidwolf at 5:02 AM on April 13, 2006


beelzbubba: it's all linked. If you're not familiar with where they are, look on a map... they're not as far apart as you might think. It's pretty obvious why Iran's so nervous and pushing for nuclear weapons.

I was just commenting re:Iraq because sophist did; I was, believe it or not, fully aware that it was a separate area.

We could have won the war in Afghanistan, had we stuck to just doing that; they really did want us there, for the most part. I didn't support that war at first, but after reading Against All Enemies, I understood why we invaded and that it actually WAS the right thing to do.

But Iraq fucked everything up.

beth: That's an excellent way to put it. I remember when the news first broke.... I thought, "holy shit, we could lose this war right here. If we handle it perfectly, we could even make a few brownie points, but if we screw it up, we could lose in the next two weeks."

And, sure enough, we opted to lose the war. Idiots.

Anyway, we should probably be talking about flash drives, no? I bet Russia and China would be more than willing to crack those passwords for a copy of the data...
posted by Malor at 5:16 AM on April 13, 2006


mistaken impression that security is not about convenience

I'm not saying it's smart, just that this is the likely thinking behind these guys putting all their stuff on these drives. Security is always for the other (careless / stupid) people, but of course I am careful and smart, and won't lose my drive, and it's such a hassle following the security protocols...
posted by Meatbomb at 5:31 AM on April 13, 2006


The 1-gigabyte flash drive holds "what appears to be a trove of potentially sensitive American intelligence data, including the names, photographs and telephone numbers of Afghan spies informing on the Taliban and Al Qaeda, personal snapshots, Special Forces training manuals, records of direct action training missions in South America, along with numerous computer slide presentations and documents marked secret." Most documents are neither locked nor encrypted.

And why, pray tell, does the most powerful military in the world use off-the-shelf memory devices? The next thing we will hear is that U.S. ammunition fits into Albert Q's weapons!
posted by three blind mice at 5:40 AM on April 13, 2006


Calling all security experts: is there any way to keep people from doing this?

I mean, you could order computers with zero USB ports, but then how do you hook up the printers? (Yeah yeah, "the printer port, dumbass" but do modern printers even use that anymore?). I guess a lot of keyboards and mice are USB nowadays, too, so there's another legitimate reason to need available USB ports.

I've got it! You superglue the things you need into the USB port. And any USB ports you don't use, jam gum in there, along with a mixture of sand and superglue.

Then, never move your computers or change your network architecture. Piece of cake!
posted by beth at 5:43 AM on April 13, 2006


Oh wait. Aren't there serial-to-USB port dongles? Guess you'll have to superglue the serial port(s) too. And anything else that can be dongled like that.

I've got it!!! DUMB TERMINALS!
posted by beth at 5:45 AM on April 13, 2006


I think the only way to combat this sort of widespread security leakage is to dilute it with disinformation. If there are approx 1,000 flash drives with real US secrets out there, we should make 10,000 that have fake (but convincing!) US secrets. These should be sold in the same places where you can find the real flash drives. To go one step further, those 10,000 disinformation drives should all have different secrets on them, so it won't be as easy as "disregarding all drives that have x secret on them."
posted by Afroblanco at 5:52 AM on April 13, 2006


(Of course, it is always better when real secrets don't get leaked to Afghanistan marketplaces in the first place.)
posted by Afroblanco at 5:53 AM on April 13, 2006


Actually, beth, you're not far off. Secured networks quite frequently use the dumb-terminal approach. USB flash drives are a huge PITA. Recent service packs on Windows have methods of locking down flash storage devices, but I don't know how well this actually works.

The vast majority of the US government, however, doesn't know its ass from a hole in the ground when it comes to security. Despite all their big claims about 'information warfare', if we ever do get into a battle with, say, China.... things are Not Going To Go Well in the US government for awhile. Their networks are, to many accounts (including the government's!) swiss cheese.

The hyper-secure networks are probably the tightest networks on the planet... no hacking into the nuclear missiles. But if it's not SuperUltraHyperMega Secret, it's probably not secured well.
posted by Malor at 5:55 AM on April 13, 2006


Of course, if the army has sense they will flood the area with phony data drives or else plant info on disks about people they want to have look like spies. Or else maybe all of this was phony material in the first place, part of an intelligence war. (Unfortunately, I find that unlikely)
posted by dances_with_sneetches at 6:00 AM on April 13, 2006


Speaking of passwords In your opinions which is a more secure password protocol?

a. requiring a 9 to 11 digit alphanumeric password that is not in a normal dictionary? i.e. 'Pathf1ndeR'
b. allowing normal 5 letter words but requiring them to be changed monthly?

I say a. where one really tough password could be created is better than b. wher people tend to use easy to remember things like 'april6'
posted by Gungho at 6:03 AM on April 13, 2006


Abu Ghraib? Hell no. We lost when supplying and protecting hospitals for the local population wasn't a top priority. All we had to do was that, and aid folks in getting in. Then prioritize the usual utilities (water and electricity).

Iraq was a mess after all those years of sanctions. The mess was an opportunity, sadly missed, to help us look good. That fact goes to both the attitude (evil greedy) and idiocy of those running the show.
posted by Goofyy at 4:28 AM PST on April 13 [!]


For this administration, the Iraq police action was lost before the 1st troops rolled in. (Actually, given the history of warfare and its costs, war is a loosing proposition in most cases.)

Had the Afghanistan conflict gone down with actual rebuilding and assistance to the people there, the US of A would have bought the goodwill of other nations via such VERY generous actions.

Given how poorly the Afghan occupation was going WRT to helping the citizens out of the situation they were in, why would anyone have thought the Iraq police action was going to go well?
posted by rough ashlar at 6:09 AM on April 13, 2006


Calling all security experts: is there any way to keep people from doing this?

As long as the physical box is insecure, so is the data.

From a UNIX side, you could add drive level encryption and lock down what devices can connect ot what ports. From windows you can buy software that will do similar things.


But if the admin account is insecure (most windows boxes don't have secure admin sides) or the 1st day someone cant get something done because security gets in the way of doing that job, out goes security.
posted by rough ashlar at 6:14 AM on April 13, 2006


I think the only way to combat this sort of widespread security leakage is to dilute it with disinformation.

Not disinformation. Porn.

Ali: "Look Mohammad! Here on these flashdrives. The access codes for the infidel's security fence. God is Great."

Mohammad: "Forget that Ali. Open that file that says PARISHILTON.MOV."

Ali: "Quicktime. Fuck me, I wish Osama would supply us with Powerbooks. God willing."
posted by three blind mice at 6:23 AM on April 13, 2006


Had the Afghanistan conflict gone down with actual rebuilding and assistance to the people there, the US of A would have bought the goodwill of other nations via such VERY generous actions.

I just want to state, that, speaking of goodwill, not only have our current escapades in Iraq and Afghanistan *not created* any goodwill, but they have in fact *eroded* vast quantities of goodwill that our nation formerly had earned via the treasure, blood, and labor we expended in WWI and WWII and the rebuilding thereafter.

Well, "eroded" may not be strong enough - perhaps "shat upon" would be a better fit.
posted by beth at 6:27 AM on April 13, 2006


Mohammed: Better than RealPlayer. Have you ever installed that shit?!
posted by sonofsamiam at 6:36 AM on April 13, 2006


I'm just surprised that, with all those ads touting how the military will teach you to use computers, encryption is nowhere in the lesson plan.
posted by fungible at 6:36 AM on April 13, 2006


I wonder if it's even true... its sounds so blatantly against the rules (which the vast majority of military follow, thank you very much) as to almost not even make sense.

Never say never, I suppose.
posted by matty at 6:51 AM on April 13, 2006


Are these guys actually allowed to put sensitive data on flash drives? Many corporations don't even allow such nonsense (although enforcing these policies can be difficult). Heads should roll for this.
posted by caddis at 6:56 AM on April 13, 2006


So much for spreading Democracy and Freedom--remember this the next time (which is everyday) that Bush talks of that: ...This is the truth of how the military see the freedom and democracy working in Afghanistan:

One of the computer drives stolen from Bagram contained a series of slides prepared for a January 2005 briefing of American military officials that identified several Afghan governors and police chiefs as "problem makers" involved in kidnappings, the opium trade and attacks on allied troops with improvised bombs.

The chart showed the U.S. military's preferred methods of dealing with the men: "remove from office; if unable marginalize."

This is the fruit of those much lauded elections. Bush's democracy, the model to inspire the other nations to which he is now turning his attention, is based on "removing" and "marginalizing" by an American occupier of the very people that were voted into office, rightly or wrongly, by the people of that country.

The article goes on to say:

A chart dated Jan. 2, 2005, listed five Afghans as "Tier One Warlords." It identified Afghanistan's former defense minister Mohammed Qassim Fahim, current military chief of staff Abdul Rashid Dostum and counter-narcotics chief Gen. Mohammed Daoud as being involved in the narcotics trade. All three have denied committing crimes.

Another slide presentation identified 12 governors, police chiefs and lower-ranking officials that the U.S. military wanted removed from office. ...

posted by amberglow at 6:59 AM on April 13, 2006


The scary thing is, most of our military information systems are such godawful garbage (built by several dozen contractors, who never talk to each other, ignore the DISA standards, and charge about %300 more than the standard industry rate) that there's almost no way to move data around except by a) stickie note, or b) flash drive. There are some basic security precautions followed (e.g. no 802.11; keeping top secret, secret and unclassified information on separate devices on separate networks with rigid enforcement), but for the most part once you pass the physical boundary of the command post all bets are off.

And, frankly, I would blame the designers of security products (not everyone thinks like a computer security expert, guys) before I would blame the people using them.

Problems like this are actually a compelling argument for our employ of third-country nationals to sweep up and make the chow.
posted by xthlc at 7:08 AM on April 13, 2006


Security and convenience are always at odds, and security can and will be circumvented by those who need the information if it makes their jobs easier to do so.

This is unavoidable, and rightly so.
posted by perianwyr at 7:21 AM on April 13, 2006


gungho: 5-character passwords can be cracked in a few hours, so rotating them once a month is useless. 9-11 character alpha passwords may take a month or two... so the right solution is to use 10+ characters and rotate about once a month. If you get up into the 15-16 character range, you can rotate less frequently. And if you get some nice random non-alpha characters in there, it's even better.

beth: I think, overall, invading Afghanistan was probably the right thing to do, but I'm not 100% sure. In the days following 9-11, we had more brownie points than we've had in two generations. We could have used them to make some really lasting changes in the world; we could have demonstrated actual, you know, leadership.

Instead, we were bombing Afghanistan within, what, two weeks? It was _probably_ the right thing to do, if we did it well... but I still wonder if, had we chosen a different path, we'd have gotten more bang for the brownie point.
posted by Malor at 7:27 AM on April 13, 2006


Instead, we were bombing Afghanistan within, what, two weeks? It was _probably_ the right thing to do, if we did it well...

I agree that the Taliban should have been removed, and the terrorist training camps and such. But we totally fucked up catching Osama, and the aftermath is a frickin nightmare (Opium, Taliban coming back, and on and on). Effort: A. Execution: F-.
posted by beth at 7:39 AM on April 13, 2006


Coalition casualties have gone up every year we've been in Afghanistan during Operation: Enduring Our Freedom.
posted by kirkaracha at 7:54 AM on April 13, 2006



The hyper-secure networks are probably the tightest networks on the planet... no hacking into the nuclear missiles. But if it's not SuperUltraHyperMega Secret, it's probably not secured well.




Errr.....permissive action links anyone?
posted by lalochezia at 7:59 AM on April 13, 2006


This whole thing seems a little on the suspicious side. What are the odds that these drives were planted as misinformation?

The documents appear to be authentic, but the accuracy of the information they contain could not be independently verified.
posted by JJ86 at 8:16 AM on April 13, 2006


Calling all security experts: is there any way to keep people from doing this?

Train them not to. Fire them if they do. Check frequently.
posted by sohcahtoa at 9:07 AM on April 13, 2006


.
posted by russilwvong at 9:28 AM on April 13, 2006


So this is what "military-grade security" means when they advertise it in products. Good to know.
posted by kindall at 10:01 AM on April 13, 2006


But the good news is, some of them can't be opened without a password

Psst! "shock&awe".

I was never here.

posted by George_Spiggott at 10:16 AM on April 13, 2006


Nope. The password that gets you unlimited access to everything is "9/11".
posted by bigbigdog at 10:46 AM on April 13, 2006


It would be really cool if all those drives were full of counterintelligence.
posted by b1tr0t at 12:13 PM on April 13, 2006


Or maybe the location of the WMDs.
posted by zoogleplex at 3:52 PM on April 13, 2006


(bitrot, do you mean disinformation?)

Gungho: I think it depends a whole lot on the situation. Are the passwords being used somewhere they can be bruteforced (eg, file encryption), or somewhere they can not be bruteforced (eg, a properly designed login system)? Does every single person who uses the password use it ten times a day (and therefore will remember it), or are there some people who only use it every couple weeks (in which case, they'll have to write it down on s sticky note if it changes every month)? Do you give people their new passwords (in which case, what channel do you use to distribute the updates), or let them choose their own (in which case, worry about predictability after the first few changes)? What's the relative amount of damage caused by someone unauthorised getting in, vs. someone authorised being unable to get in? And so on.
posted by hattifattener at 4:01 PM on April 13, 2006


I wonder if it's even true... its sounds so blatantly against the rules (which the vast majority of military follow, thank you very much) as to almost not even make sense.

I'm wondering too, as the military has all sorts of stringent rules governing the handling of classified material, including requiring that secret and top secret information be kept under lock and key. They have their own private network (SIPRNet), not connected in any way to the internet (NIPRNet). SIPRNet is global, and you better belive they've got a pipe to Centcom, and Bagram has access, I'm willing to bet. I'm not sure there is any reason, excepting like a CIA field agent or someone similar, that anyone would ever be allowed to put that sort of information on a flash drive. It just goes against every rule guiding the handling of classified material...

The only thing I can think of is *maybe* whoever is supposed to be wiping or burning theses things (secret materials must be re-formatted to DoD standard 5220.22-M, and if it's not going to be re-used, destroyed or burned) isn't, but even that seems a stretch...

That's a really strange story... I hope someone isn't really fucking up on a basic level over there...

Anyway, just heard on CNN they're using Afghan contractors at Bagram, and that it's well known locally that things are smuggled out all the time. That's unbelievable.

If they didn't, there wouldn't still be an insurgency. Their information superiority is their biggest weapon.

Ha! If there is one thing the US does extremely well, it's information warfare. Google operation "Urban Resolve", and you begin to understand the scale of the problem. The insurgency continues because we have yet to develop a bomb that that effectively destroys ideas.
posted by SweetJesus at 4:09 PM on April 13, 2006


hattifattener - yes disinformation was the word I was looking for.
posted by b1tr0t at 4:38 PM on April 13, 2006


I hope someone isn't really fucking up on a basic level over there...

Hasn't that been our Standard Operating Procedure there and in Iraq? (and in New Orleans, etc)
posted by amberglow at 5:58 PM on April 13, 2006


Hasn't that been our Standard Operating Procedure there and in Iraq? (and in New Orleans, etc)

Yeah, the entirety of the US military industrial complex is completely inept, and it certainly doesn't stem from the corrupt leadership of higher ups...

Dork.
posted by SweetJesus at 12:49 PM on April 14, 2006


It looks like amberglow has touched a sensitive nerve with someone.

So, it's GW's (or perhaps Rummy's) fault that sensitive military secrets are for sale in Afghan bazaars?
posted by caddis at 12:57 PM on April 14, 2006


put words into your own mouth, Sweet--i didn't say that, and i have never ever shirked from blaming the leadership--it's them who decided on and implemented horrendously inept and dangerous procedures, including this dump of devices without wiping them first.
posted by amberglow at 12:57 PM on April 14, 2006


Hasn't that been our Standard Operating Procedure there and in Iraq? (and in New Orleans, etc)

Bullshit. I said I hope someone isn't fucking up on a really basic level, and you came back and said that's been our (United State's) standard operating procedure since the beginning - ie those of use who are connected to the military are fucking up on the reg, and have been for a while.

I'm not an idiot, and I find that insulting.
posted by SweetJesus at 1:06 PM on April 14, 2006


beth writes "is there any way to keep people from doing this?"

There are standards in place, the vaulted C2 rated obtained by a very specific version of NT running on a very specific set of hardware (neither of which you can buy today) is an example.

And ya, where security is really high you have computers with no exposed ports. You transfer data over the very local network or I've also seen swappable hard drives. But those drives are treated like the security napalm they are and are logged in and out of secure storage.
posted by Mitheral at 1:09 PM on April 14, 2006


I didn't read it that way SweetJesus. Although I did read it that many mistakes have been made by the military and administration as of late and with that I would agree. I think you are being oversensitive and when you complain about unfair treatment with a string of invectives you just sound like a big cry baby.
posted by caddis at 1:12 PM on April 14, 2006


I think you are being oversensitive and when you complain about unfair treatment with a string of invectives you just sound like a big cry baby.

I'm not crying about anything, I'm just letting amberglow know that I find what he said to be insulting. You may not see it that way, and that's fine. I have a problem with someone saying that "fucking up" is SOP in the military. One person != tens of thousands, most of whom are good people in bad situations.
posted by SweetJesus at 1:35 PM on April 14, 2006


did you not even read that New Orleans was listed there too?

quite frankly, you prove that any of those places are not fucked up, and you show me who's responsible, who made decisions, and who sent who where--i'll wait. We abandoned Afghanistan to go to Iraq and we fucked that up too. Meanwhile back at home tons of people went without food and water for days, some drowing in their own homes--where was the National Guard?
posted by amberglow at 6:04 PM on April 14, 2006


« Older William Sloan Coffin 1924-2006   |   Meta Math Newer »


This thread has been archived and is closed to new comments