Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Military Bans Removable Media After WikiLeaks Disclosures

timothy posted more than 3 years ago | from the no-using-your-photographic-memory dept.

Data Storage 346

cgriffin21 writes "The Pentagon is taking matters into its own hands to prevent the occurrence of another WikiLeaks breach with removable media ban, preventing soldiers from using USB sticks, CDs or DVDs on any systems or servers. The directive prohibiting removable media followed the recent publication of more than 250,000 diplomatic cables, which were leaked to whistleblower Web site WikiLeaks at the end of last month by a military insider."

cancel ×

346 comments

horse (5, Insightful)

florescent_beige (608235) | more than 3 years ago | (#34519854)

barn

Re:horse (1)

multisync (218450) | more than 3 years ago | (#34519906)

No kidding. They're *just now* getting around to this?

Re:horse (5, Interesting)

cytg.net (912690) | more than 3 years ago | (#34519994)

Indeed.
I had a conversation with a high ranking officer a few years back who boldy calimed that their systems was 100% secure, nothing i could do.. When i explained my attack vector would be to phone in and pretend to be from support and ask him to stick in the usb-dongle (wich he had in his mail) and plug it into the secure line .. well he (or she) pretty much had a revelation ... omg is it that simple. no it is not. and yes it is. It is that simple to someone as hardcore to the art of data theft as you are to the art of war.

Re:horse (4, Informative)

blair1q (305137) | more than 3 years ago | (#34520166)

Except that long ago there was a directive from the Pentagon not to allow removable media to be used for secure systems.

My guess is that they relaxed that for field units because some deployed systems have no networking attached and sneakernet is all they could use. And somehow that idea ended up meaning you could use removable media on network-attached systems, and eventually nobody even noticed when someone slipped a CD-RW into a machine with access to the entire database of classified information relating to the Iraqi and Afghani theaters of operation.

That someone is currently in jail, because, physical means or no, it was still illegal to take the information from the secure area without authorization, and to give it to uncleared people.

Re:horse (5, Interesting)

DeadDecoy (877617) | more than 3 years ago | (#34520280)

The problem is that security tends to be more of a human problem than a technical problem. A person can easily hide a usb stick somewhere on their person, and in the event that fails, take screenshots with a camera or write notes down. The first step is not to take away the usb stick, but to give the individual in question the training and incentive not to leak information in the first place. The training might include don't open any wierd attachments, browse to unauthorized sites, or use io devices from an unverified source. The incentives might include monitoring of sensitive material, legal repercussions, and, God-forbid, not implementing stupid policies that are morally questionable. Assenge noted in an interview that the purpose of Wikileaks wasn't to start a revolution but to make it easier for (morally)good companies to do business and to make it harder for (morally) bad companies to do business. The same could be said for government. Hire a trustworthy+competent staff don't be a jackass and you'll be less of a target, or at least implement fewer inane 'security' measures.

Re:horse (1)

brirus (1938402) | more than 3 years ago | (#34520484)

It's called SIPRNet, by the way. It's always been a big No-No to transfer any device from a NIPR (non-classified internet) client to a SIPR client, of course. But it happens anyway. If they want to stop Wikileaks, Wikileaks clones, and "insurance" torrents, then the governments of the world are going to need to cut out the James Bond / evil scientist bullshit and embrace 100% transparency.

Re:horse (0)

Anonymous Coward | more than 3 years ago | (#34519920)

that's nice and all, but i'm not sure what a radioactive horse [wikipedia.org] has to do with any of this.

Re:horse (1)

camperdave (969942) | more than 3 years ago | (#34520160)

A barn is ... approximately the cross sectional area of a uranium nucleus.

And my paintball pals complain that I can't hit the broad side of a barn.

Re:horse (2)

Tynin (634655) | more than 3 years ago | (#34519988)

All the same, if they are serious about security of their data, not allowing any writable / removable media on there facility just makes sense. On top of that, they should weld the cases on all of the workstations shut, disable pretty much all IO ports except for a physically permanent connection for the keyboard, mouse, monitor, and network cable. Monitoring to see if any new writable media becomes available on the workstation would be a good next place to flag for further investigation.

Re:horse (5, Interesting)

jd (1658) | more than 3 years ago | (#34520372)

The problem is not the decision, so much as that allowing insecure mechanisms (in violation of NSA Security Information notices, Common Criteria instructions for the levels required for secret information and Federal Information Processing Standards, I should add) was not only bloody stupid to begin with, it was in violation of US law regarding the handling of classified information.

Instead of prosecuting Manning, who at worst is guilty of far less than the Lockheed-Martin officials who publicly sold the plans for the current stealth fighters, one should ask why his actions were even possible in the first place. FIPS standards for secure platforms and NSA publications expressly prohibit the capability to transfer files to insecure formats. It is illegal, under US law, to install or use non-compliant systems for Government purposes. This means that giving Manning the computer violated US law. Do you see anyone charged with violating such US laws? I don't.

Re:horse (1)

bhcompy (1877290) | more than 3 years ago | (#34520468)

I'm sure that some of those people were disciplined within the military, though. This kind of negligence doesn't get overlooked by the brass when uncovered, even if they quietly handle it because the military is capable of doing that behind closed doors.

Incompetence "securing" again (1)

bussdriver (620565) | more than 3 years ago | (#34520404)

The security they had was poor because of incompetence, the same incompetence will "secure" it again. Will it work? ;-)

This isn't even really secure information and its extremely likely spies have always had this level of access. What I'd love to know is how secure the actually secure or extremely secure information is... and how easily accessed that is by foreign governments (and future internet leaks as the US government falls deeper into the authoritarian black hole.)

Re:horse (4, Funny)

jpmorgan (517966) | more than 3 years ago | (#34520022)

Oh, I don't know about that. The US military still has a lot of horses left.

Re:horse (1, Funny)

Cryacin (657549) | more than 3 years ago | (#34520066)

Plenty of asses to boot too.

Re:horse (1)

camperdave (969942) | more than 3 years ago | (#34520168)

"asses to boot"? Sounds like a job for PETA.

Re:horse (1)

dkleinsc (563838) | more than 3 years ago | (#34520242)

For some reason, though, the horse's asses in the US military consistently outnumber the horses.

Re:horse (1)

bhcompy (1877290) | more than 3 years ago | (#34520474)

How many assholes do we have on this ship, anyhow?

tune in tomorrow when (0)

Anonymous Coward | more than 3 years ago | (#34520080)

the realize they need to move somehting and have no way to do so....

Global Horses. (0)

Anonymous Coward | more than 3 years ago | (#34520156)

I think the bigger horse is why would a low level person like Manning have so much access to begin with? Or for that matter such widespread access to such a large group to begin with? If it wasn't him then it would have been someone else.

Re:Global Horses. (0)

Anonymous Coward | more than 3 years ago | (#34520254)

He wouldn't have needed access if he used social engineering techniques such as the one proposed in one of the first comments. Because he was an intel officer at all probably gave him opportunities for espionage. I highly doubt in his position his official account simply had access to the entire militarynetz. Need-to-now is the basis of classified information, otherwise what are you classifying.

Re:Global Horses. (2)

Artifakt (700173) | more than 3 years ago | (#34520430)

As someone who really was once an Intelligence officer, I'd like to point out that Bradley Manning was ranked Specialist 4, which is neither an NCO or commissioned rank. Until he made at least Sergeant, his need to know on anything besides possibly technical equipment specs was probably somewhere between nothing and Sgt. Schultz's "Nuuthink! Nuuthink!".

Which horse? (5, Interesting)

jd (1658) | more than 3 years ago | (#34520316)

The Pentagon had to ban USB sticks, et al, internally after the biggest single security breach caused by a virus passed around and brought onto the secure SIPRNET within the Pentagon itself. It's unclear to me if the problem was the virus relaying secret information off the secure network, or what, but apparently it was labelled the single biggest security breach by the Pentagon and they're unlikely to be overplaying security holes.

Mind you, NASA has just released secret information into the public domain by selling hard drives known in advance to contain secret information. These are drives that FAILED in-house auditing for such stuff. And prior to that, disk drives containing blueprints for the current generation of super stealth fighters were sold by Lockheed-Martin to Iran. (And people think Wikileaks did bad stuff?!?!?!?! How the hell does a bunch of personal opinions compare with giving a terrorist-funding nation plans for the top US fighters? Internal to Iran, there's the possibility they will find a weakness. Think Death Star plans. Think the Stealth Fighter shot down in Serbia. Yes, the Serbians blew up one of America's best planes, and with a cruddy cheap missile at that. On an international level, the Russians will doubtless use the plans to improve on their own airfoils and may be able to exploit the design to improve on whatever shape-based stealth they've developed so far.)

Add to that that NASA servers have been hacked in the past to turn them into file-sharing sites. Which means that whatever classified files were in those exposed directories have been shared as well. Quite plausibly these files were protected by DES only, not triple DES or AES, as "commercially sensitive" data is classified below secret and certainly only used basic DES up until a couple of years before that breech was discovered.

Then, back in the 90s, there was a breech at the Pentagon due to computers containing classified information being on the public Internet and having .hosts files. (NASA used .hosts files and rsh well into the current millenium and may well still do so.)

That's four Bloody Obvious horses, with gold bridles and gem-encrusted saddles, that have walked out and were only noticed after they kicked the door down at the stablemaster's house. There may be others.

Revival of the floppy disk! (5, Funny)

LiquidCoooled (634315) | more than 3 years ago | (#34519888)

Thank god they didn't ban floppy disks.

I knew these bad boys would come in handy one day!

Re:Revival of the floppy disk! (2, Funny)

Anonymous Coward | more than 3 years ago | (#34519916)

The problem is that they've read the evil overlord list and are padding all files to 1.45 MB in size...

Re:Revival of the floppy disk! (1)

Arancaytar (966377) | more than 3 years ago | (#34520054)

Especially since the entirety of sensitive military documents takes up roughly 1.3 MB, according to movies!

So (-1)

Anonymous Coward | more than 3 years ago | (#34519894)

Does anyone else want to walk up to Julian Assange and whisper the following into his cheeks, "The stuffing is a nice place! It's warm, it's stuffy, and there's parades all around!"?

I do, and my cheeks can flap at over 512 gigaflops a yoctosecond! Tell your stories, but the carpet coincides with the flaps and the rug.

Nothing to see... (4, Informative)

Frosty Piss (770223) | more than 3 years ago | (#34519902)

This applies to SIPRNET machines, and specifically personal CDs, DVD, etc. The thing is, this has always been the rule. At least everywhere I've worked with SIPRNET access (Air Force).

Re:Nothing to see... (1)

ColdWetDog (752185) | more than 3 years ago | (#34519938)

I don't get it. No access to removable drives is part of Paranoia 101. I guess I'll just have to RTFA.

Hope that helps.

Re:Nothing to see... (5, Informative)

bill_mcgonigle (4333) | more than 3 years ago | (#34520020)

Back in the day when Microsoft was advertising Windows NT 3.51 was C2-certified, we looked into the docs and one of the requirements on whatever PS/2 it was that was certified was that the floppy disk drive be removed. And off the network.

The thing here is Manning brought a RW cd inside his CD player, and only then snuck it into his PC. Then, he snuck it out in his CD player. I suppose if he was smart he burned track 1 with music so he could 'prove' it was a music CD.

The problem here is that a random private in Iraq had access to State Department cables from (e.g.) Honduras. Need-to-know-basis isn't a new idea, this was a major FU by the governing security body.

Re:Nothing to see... (1)

Bureaucromancer (1303477) | more than 3 years ago | (#34520336)

Exactly. The fact that there are supposedly MILLIONS of people with access to this network is the real problem. If it is really too much trouble to have any kind of need to know mechanism on this data it's time for a major review of what actually needs to be classified. The reality is that if the system hadn't been wide open to anyone with a need for any part of it this never would have happened.

Re:Nothing to see... (0)

Anonymous Coward | more than 3 years ago | (#34519968)

Man goes to work, man wants to listen to music, man brings his USB pluggable music player, man copies files.

If USB is disabled:

Man copies files locally, man brings boot disc, then see above.

If bios is locked:
flash bios.

Re:Nothing to see... (1)

Anonymous Coward | more than 3 years ago | (#34520034)

The bios locks on most modern "business" grade systems require a motherboard swap or JTAG connection.

Re:Nothing to see... (5, Informative)

fluffy99 (870997) | more than 3 years ago | (#34520052)

This applies to SIPRNET machines, and specifically personal CDs, DVD, etc. The thing is, this has always been the rule. At least everywhere I've worked with SIPRNET access (Air Force).

Close. It applies to SIPRNET and ALL removable media. If you have a legitimate requirement to use removable media it now must be authorized by your commanding officer in writing and you must have a procedure in place that uses two-person integrity.

Re:Nothing to see... (1)

Frosty Piss (770223) | more than 3 years ago | (#34520104)

Well, yes. I pretty much thought that went without saying when I said "specifically personal..."

An example would be Tactics Laptops that flyers carry on missions - these replaced giant binders, the info of which comes off of SIPRNET and is now on CDs.

Re:Nothing to see... (1)

IgnoramusMaximus (692000) | more than 3 years ago | (#34520128)

Except, of course, my USB stick is masquerading as a wireless USB mouse receiver, complete with a fully testable mouse functionality, but not by default. Only if I press some of the mouse keys in a right combo and then it sprouts a 16GB flash storage device. Another combo click and its back to mere mousing...

And so on, etc and the like.

Unless they ban all USB devices, all BlueTooth devices, all WiFi devices and pretty much go to Fallout-style green-screen VT100 revival terminals...

Re:Nothing to see... (2)

Frosty Piss (770223) | more than 3 years ago | (#34520264)

Unless they ban all USB devices...

All USB devices were banned on both NIPRNET and SIPRNET earlier this year. WiFi and Blue-Tooth have certainly never been used with SIPRNET.

Re:Nothing to see... (1)

IgnoramusMaximus (692000) | more than 3 years ago | (#34520374)

And so we will move onto one of these [newegg.com] , a camera in my watch or Van Eck phreaking gizmo in my shoe (with all due respect to Mr. Smart) and so on ....

I assume they did not strip everyone naked and checked their cavities and recent surgery marks...

Re:Nothing to see... (1)

eggnoglatte (1047660) | more than 3 years ago | (#34520276)

All they need to do is install software that will alert security personel if a USB mass storage device is registered. Physical appearance does not play into it.

Re:Nothing to see... (1)

IgnoramusMaximus (692000) | more than 3 years ago | (#34520392)

See my reply to the dude above. There are so many other ways that it boggles the mind.

Re:Nothing to see... (0)

Anonymous Coward | more than 3 years ago | (#34520292)

When I was working tight security conditions like this, such was the case. No wifi devices, no bluetooth devices, no cellphones. Anything that had to be plugged in (mice, keyboard, etc.) had to be cleared and secured (glued shut) before it was plugged in and we didn't have access to the back of the computer as it was in a locked cabinet.

Re:Nothing to see... (1)

IgnoramusMaximus (692000) | more than 3 years ago | (#34520488)

When I was working tight security conditions like this, such was the case. No wifi devices, no bluetooth devices, no cellphones. Anything that had to be plugged in (mice, keyboard, etc.) had to be cleared and secured (glued shut) before it was plugged in and we didn't have access to the back of the computer as it was in a locked cabinet.

None of which would of course stop a serious spy. I can think of at least two ways to download large amounts of data form a PC with this setup, and I am sure others could do even better.

Re:Nothing to see... (0)

Anonymous Coward | more than 3 years ago | (#34520504)

No, but none of the wikileaks leakers were serious spies. It will stop your average to semi-above average joe.

Re:Nothing to see... (2)

IgnoramusMaximus (692000) | more than 3 years ago | (#34520568)

No, but none of the wikileaks leakers were serious spies. It will stop your average to semi-above average joe.

True but laws of probability work against you here. If Wikileaks ethos catches on (as it seems to amongst a lot of people) there will be always a few who combine the will and the skill set. So the only long term defense will be removal of more and more features from these systems combined with restricting access to smaller and smaller subsection of data for each user - which will of course cripple the human resources more and more ...

Hence my joking Fallout reference.

This in fact was always the cornerstone of Soviet intelligence apparatus. Unlike the US which focused on more and more sophisticated and convoluted technology, they focused on people as the inevitable weak link, with the assumption that technological measures are essentially useless in the face of questionable loyalties of people with clearance ...

Re:Nothing to see... (1)

mswhippingboy (754599) | more than 3 years ago | (#34520548)

No, some simple settings in the security policy that only authorized sys admins can change and it doesn't matter if your USB stick can sprout wings, the system will not allow it. In fact, plugging it in will probably trigger a security event that will get you fired, court marshalled or jailed.

Re:Nothing to see... (1)

IgnoramusMaximus (692000) | more than 3 years ago | (#34520600)

And so instead I will use one of the many other no-physical-hardware-contact methods available to me...

Unless you disconnect that computer from that SIPRNET thing entirely and make sure that it has no classified data on its HDD, you are pretty much screwed if it comes to stopping skilled people from getting stuff out of it.

Re:Nothing to see... (4, Interesting)

gatkinso (15975) | more than 3 years ago | (#34520282)

Years ago we filled the USB ports of SIPRnet nodes at our site with crazy glue.

Old news and misleading title (1)

WatcherXP (658784) | more than 3 years ago | (#34519928)

This only applies to SIPRNET machines and has always been policy. No news here

Re:Old news and misleading title (4, Funny)

ColdWetDog (752185) | more than 3 years ago | (#34519998)

According to TFA (which I just read) it WAS part of policy (after a bunch of worms) then it got dropped because it was hard to move data around (duh) and now it's back again with the acknowledgment that it's going to be harder to move data around. (duh).

So I still don't get it - somebody finds something on SIPRNET. The copy it to a USB drive and give it to somebody else off the secured network, then plug it back into the 'secured' network again next week when the newest bunch of porn shows up? Sounds most secure.

Maybe they just ought tweet everything. At least the 140 character limit should slow people down a bit.

Re:Old news and misleading title (0)

Anonymous Coward | more than 3 years ago | (#34520368)

What about the IT Staff. The dumbest people in the organization (IT's in the Coast Guard) are placed in charge of running the services computers. In my humble opinion this is the weakest link. For example, USB drives were always banned on SIPRNET, yet, the guy in charge of COMSEC, who we were supposed to go to if we found any 'practices dangerous to security' regulary copied classified message traffic on a thumb drive. He also had the biggest mouth in the organization. If you can't trust the guys in charge of enforcing security, you are really kind of screwed.

Face it U.Sians are really just too dumb to operate computers. Let's outsource our IT organization to the Chinese. We outsource physical security on bases to illegal immigrants. Why can't we outsource information security. This change will create one consistent policy of outsourcing for each area of military responsibility. It will also bring the military more in line with the U.S. Governmental policy of providing services to the highest bidder.

Good luck with that... (0)

Anonymous Coward | more than 3 years ago | (#34519930)

Wait til you have to explain to this to the 11Bs....

A sure way to prevent it. (4, Informative)

www.sorehands.com (142825) | more than 3 years ago | (#34519942)

It is really hard to ban removable media given that you can attach a phone and it becomes a USB drive.

Using Windows Terminal Server, or Aqua Connect [aquaconnect.net] on the Mac
you can prevent anyone from using a USB device, as the data will be on a server, presumably locked away from users.

Not that hard... (1)

Anonymous Coward | more than 3 years ago | (#34520006)

It is really hard to ban removable media given that you can attach a phone and it becomes a USB drive.

The simple act of having a cell phone on you in most federal facilities that have these security policies is a security violation. A few of those and you can lose your job (yes, government employees can actually be fired in a "stop, don't pass go, you're on the street" way over this). If someone sees you plugging it into a SIPRNet node, you're fucked. Do that **now** while the government is making up for lost time and you've basically shredded your own clearance.

Re:A sure way to prevent it. (0)

Anonymous Coward | more than 3 years ago | (#34520110)

You're not supposed to have phones in classified facilities. That, along with all removable media shall not leave the facility, is a policy. Of course, you see how well that worked for them =/

Re:A sure way to prevent it. (1)

KublaiKhan (522918) | more than 3 years ago | (#34520204)

Phones aren't allowed in secured areas that contain SIPR computers.

Neither are any other electronics.

Re:A sure way to prevent it. (2)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34520230)

Concealing USB mass storage devices is trivial. They come in virtually any shapes and sizes(at the small end, limited largely by the smallest thing that falls reasonably close to the spec for a USB connector) and not too infrequently bundled with other devices(ie. "powerpoint presenter" widget that has an RF remote that is also a flash drive to store the presentation, various novelty crap, etc.) Further, all sorts of common, innocuous devices act as USB MSC devices when plugged in.

Using them covertly is an entirely different matter, though. Unless the OS recognizes the device, reads the device IDs, loads the appropriate driver, and mounts the volume r/w, your device is a paperweight. That is the obvious area that the military should be focusing on. In pretty much any modern OS, a system that logs all devices connected/disconnected from any bus, with timestamp and present user, if any, and refuses to mount MSC devices/unexpected volumes without authentication shouldn't be all that difficult. Even a defense contractor could probably get something going, given 3-5 years and $100 million...

Re:A sure way to prevent it. (1)

Anonymous Coward | more than 3 years ago | (#34520304)

Or on a UNIX machine you can just remove the user's permissions to mount anything new.

Re:A sure way to prevent it. (1)

nurb432 (527695) | more than 3 years ago | (#34520322)

Don't need Terminal Services.. you can disable USB via GPO or other remote means ( or even something simple like removing drivers and not giving anyone admin access to reinstall them ). Hell if you really want to be sure, just remove the USB chip by force and lock the case.

Just to be super extra Careful... (1)

rueger (210566) | more than 3 years ago | (#34519954)

And these are the people that we set loose with big guns, exploding doohickeys, and nukes.

Of course the logical progression is to ban the use of cameras, photocopiers, cel phones, paper, pencils, and people with photographic memories.

Re:Just to be super extra Careful... (1)

blair1q (305137) | more than 3 years ago | (#34520212)

And these are the people that we set loose with big guns, exploding doohickeys, and nukes.

Who? Slashdotters who read a headline and start posting as if they know all the details? Slashdot summary writers who type so fast they forget to read TFA themselves? Journalists who misquote and misread their own notes if they bother to take any if they bother to ask any questions?

The logical progression is to learn something before posting, because the people who can order use of the big guns, exploding doohickeys, and nukes actually had these policies in place, and the people at the other end responsible for implementing them failed to make sure they were being followed. The person responsible for following them who refused to follow them didn't have the authority to shoot snot out of his nose, much less big guns, exploding doohickeys, and nukes.

epoxy (2)

CohibaVancouver (864662) | more than 3 years ago | (#34519990)

It's used to be the case that some companies would squirt epoxy into the USB ports on devices - Doesn't really work any more as many devices no longer have PS2 mouse and keyboard ports.

Re:epoxy (1)

hedwards (940851) | more than 3 years ago | (#34520152)

You can squirt epoxy in the front ones, and then use an enclosure that keeps the fingers away from the back ones without the right key, and probably some sort of tamper proof sticker to make it that much harder to do without being caught.

But really, as soon as you allow physical contact you've blown security, this stuff is about making it as inconvenient as possible for an authorized party to be up to no good with console access.

Re:epoxy (1)

cinderellamanson (1850702) | more than 3 years ago | (#34520250)

You could epoxy the mouse and keyboard in place as well, as long as the contacts are good.

Re:epoxy (1)

camperdave (969942) | more than 3 years ago | (#34520218)

Just take out the drivers for USB drives, and don't install burners or floppies.

Re:epoxy (1)

blair1q (305137) | more than 3 years ago | (#34520232)

so epoxy the mouse and keyboard connectors into the usb ports and just gum up the rest

Re:epoxy (2)

DrSlinky (710703) | more than 3 years ago | (#34520370)

It's used to be the case that some companies would squirt epoxy into the USB ports on devices - Doesn't really work any more as many devices no longer have PS2 mouse and keyboard ports.

Um, dude... That stuff may have been sticky, but it sure wasn't epoxy!

Hero (0)

Anonymous Coward | more than 3 years ago | (#34520012)

Exposing the governments' corruption and bringing the truth into the light. Wikileaks is my hero! I want to cheeking thomas ultimatum supremacy while I'm am own ass.

That's gonna be kinda hard with USB (0)

Anonymous Coward | more than 3 years ago | (#34520040)

Ain't it? What are they going to do, search everybody, disable the ports, what?

Oh they're just going to tell people not to do it?

That'll work.

But seriously, while I appreciate having a universal port of some kind, I do think it's a bit of a price to pay having basically one port used for everything. Not one that matters to most of us, but I suspect some people might wish things were different.

Not sure it's feasible though.

Re:That's gonna be kinda hard with USB (1)

afidel (530433) | more than 3 years ago | (#34520140)

A) Go back to using PS/2 for keyboard and mouse, I never stopped using them for servers because the KVM's are just more reliable with it than USB. Now you can disable USB without an issue.

B) Yes having the guys with guns tell you that you may not have that on base is generally a good enough deterrent.

Re:That's gonna be kinda hard with USB (1)

hedwards (940851) | more than 3 years ago | (#34520164)

That's an incredibly easy thing to solve, all you do is put the CPU into some sort of protective case that prevents a person from inserting or removing things from any of the ports without the proper key.

You then keep the key in one of those industrial key minders that comes complete with logging.

Re:That's gonna be kinda hard with USB (1)

contrapunctus (907549) | more than 3 years ago | (#34520522)

Ah, the old "if you have physical access to a device, you can do anything" adage

Re:That's gonna be kinda hard with USB (2)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34520252)

The port may be universal; but the drivers aren't. Nor is automatically mounting a volume as r/w on insertion. Physical disabling is crude and only for the most absolutely paranoid of situations; but software based disabling of all but the really clever covert channel stuff should be relatively simple...

Re:That's gonna be kinda hard with USB (0)

Anonymous Coward | more than 3 years ago | (#34520418)

The port may be universal; but the drivers aren't. Nor is automatically mounting a volume as r/w on insertion.[/quote]

Or execute it. I hope that the military at least disabled that.

Wait...didn't they mess that up too?

dropbox (1)

Anonymous Coward | more than 3 years ago | (#34520062)

No mention of dropbox?

Re:dropbox (0)

Anonymous Coward | more than 3 years ago | (#34520344)

You can't use dropbox from a SIRPNET machine.

Old news, sure, but you know... (0)

Anonymous Coward | more than 3 years ago | (#34520118)

This has always been policy, sure, but you know that a vast majority of facilities who routinely do SIPR NIPR data transfers are going to be *completely fucked* when their higher-ups overreact to this, even if the data is Unclassified with no FOUO tag. They instituted 2nd man review policies initially after the Afghan leaks, and now this?

Man, I'm glad I don't work there anymore. My old system is probably fucked by now.

Huh (2)

Quiet_Desperation (858215) | more than 3 years ago | (#34520186)

I've worked in classified areas in aerospace, and USBs have been disabled since the first USB equipped PCs showed up. In then early days I think they actually removed the USB interface chip. Now it's disabled in software.

About fucking time (1)

Yanimal (1434757) | more than 3 years ago | (#34520192)

If secrecy and security are important then they should damn well act like it. A USB interface is about as secure as a mesh condom.

So the leakers will now have to rely on (1)

melted (227442) | more than 3 years ago | (#34520196)

So the leakers will now have to rely on plain old memorization, or print shit out. The only real way to prevent leaks is by monitoring access and severely punishing people for leaking. This leak only happened because the leaker all but knew he was impossible to catch. In fact, he was only caught because he bragged about it and someone turned him in.

Re:So the leakers will now have to rely on (0)

Anonymous Coward | more than 3 years ago | (#34520332)

Bragging is how most people get caught.

Don't worry, it's never the "small guy's" machine (5, Informative)

Opportunist (166417) | more than 3 years ago | (#34520208)

Here's a little story from back when I was the "IT security guy" (they didn't want to shell out the wage for a CISO, I guess) of a large, very security conscious company.

Of course, no machine had USB ports or CD drives (not that CD drives could have allowed any software to leave the machine, but hey), nothing you could plug on parallel ports or serial ones, no floppy drives, no nothing. No way to plug anything into those machines that could remotely be used to transfer any data out of them.

But of course, some people are more important than others, and some people have privileges. Needed or not. One department head needed to be able to use USB drives. It was actually a fairly level headed person and he was quite security conscious, was aware of the risks and able to handle it, and given enough pressure on the CEO he was finally allowed to use USB drives. This was actually still a fairly acceptable move. It was necessary for him and did increase his ability to work well and efficiently, and he could handle the additional responsibility and the risk was manageable and low enough to be acceptable.

But then the invariable laws of the office privilege and status bullshittery set in. Because it is impossible that Department Head A gets something and Dufus B doesn't. I guess it's not hard to guess what happened next. Of course, all managers on this level had to be allowed to use USB drives, need them or not. And this was NOT acceptable anymore. Some of them were too dumb to actually plug an USB drive into their machine without causing a repair incident. But they had to get it, need it or not, but it's simply impossible that one of them gets a privilege and the others don't.

So do not fear, people. Sooner or later this rule will be softened up and erode away because some people will have to have "privileges". Without being able to handle them.

I always wondered... (1)

Haedrian (1676506) | more than 3 years ago | (#34520234)

Bit of an honest question really.

If I log onto my online email, its an ssh site. So what's there to stop me shoving the stuff in an encrypted and compressed file - and then sending it as an email. If they're sniffing the packets they'll only get garbage. If I create an email address just for this - its pretty hard to trace I would expect.

Hell, doesn't even need to be email (although its the simplest way to cover tracks) - what's to stop me sending it over any sort of encrypted network?

Re:I always wondered... (1)

Frosty Piss (770223) | more than 3 years ago | (#34520294)

If I log onto my online email, its an ssh site. So what's there to stop me shoving the stuff in an encrypted and compressed file - and then sending it as an email.

You can't log into your online email from a SIPRNET machine.

Re:I always wondered... (1)

Haedrian (1676506) | more than 3 years ago | (#34520346)

Is that the only reason?

Because there are a number of companies which let you log onto your online email - and have the same "You can't use USB" blocks.

Re:I always wondered... (1)

RoboRay (735839) | more than 3 years ago | (#34520382)

Those companies networks are still connected to the Internet. SIPRNET is NOT.

That won't work. (0)

Anonymous Coward | more than 3 years ago | (#34520314)

The CyberPolice will backtrace you, and consequences will never be the same!

Re:I always wondered... (1)

Ccomp5950 (1796614) | more than 3 years ago | (#34520358)

SIPRnet isn't the internet. You can't pull up google or any internet website while on SIPRnet nor can you do so on the TOP SECRET network. They are not connected (for obvious reasons)

Re:I always wondered... (1)

santax (1541065) | more than 3 years ago | (#34520398)

Just take a picture with the cam in your phone. And take that out the door. It's a tested method and it works.

The press is just now getting around to this? (0)

Anonymous Coward | more than 3 years ago | (#34520240)

I'm a little confused by this "news". I spent the last six years in the submarine force and this was already a rule. No USB drives or personal CDs were allowed on any classified systems. Maybe the announcement is intended to inform people they're actually going to start enforcing the rule. I dunno.

Separate secure channels? (1)

smoothnorman (1670542) | more than 3 years ago | (#34520274)

Has there ever been an explanation of what all the diplomatic traffic was doing going through the pentagon? Wouldn't separate channels, and perhaps distinct cryptology, whose individual security is checked and tested by the NSA be more secure in any-case?

Re:Separate secure channels? (0)

Anonymous Coward | more than 3 years ago | (#34520330)

I have a feeling that A) this being the government, they found it easier to use the pentagon's already established private, secure network to transmit diplomatic cables, and B) after 9/11 would have consolidated anyway after all the hubub about inter-agency communication and cooperation to make it easier to share information.

Re:Separate secure channels? (2)

Lloyd_Bryant (73136) | more than 3 years ago | (#34520400)

Has there ever been an explanation of what all the diplomatic traffic was doing going through the pentagon? Wouldn't separate channels, and perhaps distinct cryptology, whose individual security is checked and tested by the NSA be more secure in any-case?

In the aftermath of 9/11, lack of information sharing was cited as a critical flaw that allowed the attacks to happen. So they responded with information oversharing...

Remove Storage capability from USB (0)

Anonymous Coward | more than 3 years ago | (#34520326)

My company has all storage options on USB shut off. I mean I know how to get around it, but it shouldn't be hard to figure out.

Just ban the users! (0)

Anonymous Coward | more than 3 years ago | (#34520496)

Just ban the users! Ok, I'll go now...

Something Ain't Right... (1)

Anonymous Coward | more than 3 years ago | (#34520498)

Something about this whole affair is bugging the crap out of me.

The messages prior to 1997 are all uppercase, and in the proper JANAP-128 format. They all pass the "sniff test" to me, but what don't pass the sniff test Manning. He could've had acces to the copter video, that'd be out and about. But where the heck is he supposed to be getting cables from the 60's and 70's??? That stuff don't normally get put up on the SIPRnet, it's kept on microfiche in archives.

This smells like someone old. Somene who's been on the inside for a very long time, collecting skeletons, putting everything in electronic format waiting for the right moment to open the door from a safe distance and let it all out. Waiting for the right medium (wikileaks), the right person to make an opening (Manning) and then take all the heat (Assange).

This feels like someone's very old archive. It don't feel like the work of one stupid kid.

Where I Work.... (1)

Ferretman (224859) | more than 3 years ago | (#34520534)

....we haven't been allowed to use thumbdrives and such, like, forever......

Other ways to get data out (2)

hawguy (1600213) | more than 3 years ago | (#34520574)

It's great that they finally figured out that letting employees write secret data to a storage device is a security risk, but are they also auditing outbound communication? Will they notice if an employee emails the data to his Gmail account? Or deposits it on some hacked server somewhere? Will they notice it if he uses steganography to hide it in other data?

Or maybe he'll use a program that converts the data to visible data that can be recorded by a camera (sure sure, cameras are against regulations, but stealing data is against regulations too...if he's a determined data thief, cameras can be hidden in all sorts of objects and body cavities). For example, a QR code can hold 4KB of alphanumeric data. If someone writes a program that displays 15 frames/second of QR encoded data and records it with a camera, that's 200MB of data every hour.

If he's patient, he can record it as a 2400 baud data stream and record it on his MP3 player - he can steal around 10MB/hour using this method.

Or maybe he can record it as a bit patter on a laser printer - if he can write at 100dpi reliably, thats around 100KB per piece of paper. If that can be stretched to 500dpi he'll get around 2MB per piece of paper, and will look like a grey piece of paper to the naked eye so security won't pay any attention "Oh that, it's scrap paper I'm taking home to my kids".

How will he get such a data theft program onto the computer? Simple -- if he can't download it off the internet (perhaps a "gif" that just needs the first 128 bytes stripped off to make it an executable), he can plug in a USB keyboard dongle that acts as a keyboard and then let it type in the program for him.

How secure *is* our secret data? Hopefully banning USB drives is just one layer and they are taking greater steps to securing who has access to such data.

I don't get it, really. (1)

Stormin (86907) | more than 3 years ago | (#34520614)

I've worked at several different banks that had software in place to disable the USB ports to prevent this exact sort of thing from happening. In one case they built the software in house so that certain USB devices that were issued by the firm could be unlocked, but nothing else. CD writers, if available on the host, were also locked down by the software and could only be used with prior approval. From what I know of the banking industry, this is pretty standard practice.

But computers holding sensitive government data don't even have that level of security?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...