×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fresh Security Breaches At Los Alamos

kdawson posted more than 6 years ago | from the when-will-they-ever-learn dept.

Security 127

WrongSizeGlass writes "MSNBC is carrying Newsweek reporting on two new security breaches at Los Alamos. Both of these latest incidents were 'human error' on the part of employees. In one, an e-mail containing classified material was sent over the open Internet rather than through the secure defense network. In the other incident, an employee took his lab laptop on vacation to Ireland, where it was stolen out of his hotel room. The machine reportedly contained government documents of a sensitive nature."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

127 comments

Human element is the greatest danger (5, Informative)

daveschroeder (516195) | more than 6 years ago | (#19647869)

It's worth noting in this example that if the laptop had been allowed to travel to Ireland with the employee with the proper approvals, as the article indicates, the material on the laptop was not classified, but rather deemed "sensitive". There are several classes of such sensitive but unclassified information. In the email instance, anyone can at any time send classified information over an unclassified network. It is up to the user to not do this. Granted, there are various technical and other procedures that can help prevent this, but it can never be completely avoided. These incidents seem rather tame, but since Los Alamos is under the microscope, every such incident will be greatly scrutinized - and sometimes blown out of proportion.

In the information security profession, several classes of threats to security, including physical security, are enumerated. However, the most significant threat of all, and one that can subvert even the best-laid plans for security, is the threat from human action. This threat is unavoidable, as humans are necessarily an integral component of any operation an organization may wish to secure.

The human threat can take the form of threats internal to an organization, and each of those threats can be intentional or accidental. Because of the access an internal person may have to sensitive areas or information, the threat from the actions of internal person are often rightfully considered the most severe. An internal person may also unwittingly act in concert with an external person who is a threat to the organization as well.

A recent example of such a failure of physical security occurred when a 31-year-old man attempted to enter the United States from Canada at the border crossing in Champlain, NY, on May 24, 2007. Upon presenting identification, the Customs and Border Protection agent handling the man's entry received a computer alert. The alert warned that agents should immediately don protective clothing and detain the individual, notifying the originating authority.

The next steps seem obvious: the man is detained, and border agents run the message up the notification chain, CDC eventually learns that the man in question has been located, and appropriate action is taken. The system works.

What happens instead is that the man is allowed to enter the United States with no further questions, and is at the border crossing for a total of less than two minutes. The agent later says he thought the warning was discretionary, that the man "seemed fine", and therefore let him proceed. Every part of the system worked: the CDC was able to properly place the man on appropriate watchlists, his passport was properly flagged upon entry, and relevant information was presented to the processing agent.

Every part, that is, except the human part.

The man in question is Andrew Speaker, an Atlanta lawyer who traveled with his fianceé to Europe for his wedding and honeymoon. While in Europe, he subsequently learned that further testing revealed that he was infected with Extensively Drug Resistant Tuberculosis, or XDR TB, a form of tuberculosis resistant to a wide variety of antibiotics and treatments, and which can have a 70% mortality rate. The CDC and health authorities did all they could to attempt to restrict his further travel, and thus protect the public at large. Speaker sidestepped No-Fly and other watchlists by flying to Prague, then to Montreal, and then driving to the United States.

The Department of Homeland Security has placed the agent, whom it has not identified, on leave while it reviews the incident, and related processes and policies. When a human charged with the ultimate protective responsibility errs, no amount of technology can solve that problem. What if this had been a man identified as on the way to the United States to intentionally spread an infectious agent? The frustrating element here is that all of the underlying information and identification systems were working - which is itself encouraging - but the individual responsible for taking action on the notification chose to ignore the warnings.

In my own environment, we have at times identified examples of secure doors being propped open, allowing unauthorized persons into secure areas for convenience, not signing in visitors, ignoring security measures for convenience, and even reluctance to report security incidents because of the perceived hassle. Planning often protects information from accidental loss, loss from failure, and sometimes even from acts of God, but with even stringent planning and procedures, it is difficult to protect from the determined - or negligent - human adversary.

Re:Human element is the greatest danger (4, Interesting)

WgT2 (591074) | more than 6 years ago | (#19647945)

Speaker sidestepped No-Fly and other watchlists by flying to Prague, then to Montreal, and then driving to the United States.

Sounds to me that his actions were completely intentional, that he was not at all concerned about the health of others, that he wanted to fulfill his desires regardless of how it might affect others.

I wonder if there are charges that could be brought up against him.

In any case, you make a very good point about the human factor in security.

Re:Human element is the greatest danger (1)

anti-human 1 (911677) | more than 6 years ago | (#19649093)

Sounds to me that his actions were completely intentional, that he was not at all concerned about the health of others, that he wanted to fulfill his desires regardless of how it might affect others.
I'm sorry, did you miss the part that said he is a lawyer?

FTGP:

The man in question is Andrew Speaker, an Atlanta lawyer who traveled with his fianceé to Europe for his wedding and honeymoon.
I guess they can't all be decent, hot dog loving [imdb.com] citizens, can they?

Re:Human element is the greatest danger (1)

theuedimaster (996047) | more than 6 years ago | (#19649953)

You make him sound like he's a bad guy, and I don't think that's fair. Put yourself in his situation. If you know you're gonna die soon from a disease, and that it CAN be cured if you go ONE hospital on the other side of the world, wouldn't you do anything you could to get there? I don't know how many of us would lock ourselves up in a room or sit and rot in an Italian hospital - resigning ourselves to death.

That would be a very heroic thing to do, and I doubt that most of us would even venture into doing that.

Re:Human element is the greatest danger (1)

WgT2 (591074) | more than 6 years ago | (#19651647)

Heroic? Since when is doing a right thing, like not putting others in mortal danger, heroic? If that were the case, then not driving my car 50 mph over the speed limit would also be heroic.

What you describe as normal is also selfish and wrong.

Re:Human element is the greatest danger (1)

tinkertim (918832) | more than 6 years ago | (#19651181)

Sounds to me that his actions were completely intentional, that he was not at all concerned about the health of others, that he wanted to fulfill his desires regardless of how it might affect others.

Of course they were intentional. You don't accidentally pack a laptop. Well, I guess you could, but it would be difficult. He did not intend for it to be stolen and if you can't have a reasonable expectation that your stuff will NOT be stolen then we have a much larger problem to address.

So many brilliant absent minded people wandering around with so much top secret junk. That in and of itself appears to be the cause, this is a symptom of it.

I vote to hang him by his balls because anyone conscious and aware of being so could not have a _reasonable_expectation_ that they would not get creamated should something happen to that laptop given recent events.

Mail client tied to the wrong subnet? Why can you get out on port 25, or 26, or almost any port on a public block?

The reason these poor bastards get hung out to dry is because it solicits exactly the reaction that you offered. Don't fall for scarecrows, stay mindful of the actual cause. Nobody who knows what they are doing gets paid to make decisions there. Given this _whole_ argument, that's probably a good thing.

This might just be the best its going to get given the nature of the place. I hope not, but it might be.

Re:Human element is the greatest danger (1)

WgT2 (591074) | more than 6 years ago | (#19651541)

Sorry about that. Although I thought essentially the same thing about the laptop loser, I meant the TB infected knob mentioned in my parent post.

And, the parent post actually calmed my thoughts about the laptop in that the goof had permission to take it out of the country. I think we might have a bit of sensational reporting going on here meant to stir you and I up about something that could happen but didn't.

Re:Human element is the greatest danger (1)

tinkertim (918832) | more than 6 years ago | (#19652239)

And, the parent post actually calmed my thoughts about the laptop in that the goof had permission to take it out of the country. I think we might have a bit of sensational reporting going on here meant to stir you and I up about something that could happen but didn't.

I'm not much fun at parties. A benefit to seeing things in a very literal sense is blissful oblivity when someone's trying to trip a bug I just don't really suffer from, empathy. I have a sense of empathy, but its not so .. dilluted by the time that I act on it as it might be in someone else.

If you look at the 'stir stick', its clearly labeled "induce fear that national security is weak". Journalism is very much a service, if it weren't you wouldn't pay for a news paper anymore. Part of the service is making you want to swallow all of it, even if just to shoot holes in it while you read your paper, or slashdot, or whatever. They're giving you what you want, facts dipped in adsense with some irony because they feel bad.

Has anyone here, ever once tried just writing to Los Alamos and requesting the information available to the public regarding their security policies, then sent in patches?

I'm honestly curious to know, it wasn't a rhetorical question. If we own the place (as tax payers we do), umm, we ought to propose something better before stringing up the entrails. Well go ahead and string them up , write the guy an IOU for some patches. Make the e-mail user suffer hotmail for a whole month. Done.

If we start having to get laptop scans to get on airplanes as a result of this, I vow to produce a turd and beat someone severely with it.

Re:Human element is the greatest danger (4, Insightful)

djmurdoch (306849) | more than 6 years ago | (#19648019)

You're missing one important piece of information in your description: how many false alarms does the border agent get from this system and all the other watchlist systems he has to work with? If the agent is getting hundreds of warnings that all turn out to be crap, why would he believe one good one?

Re:Human element is the greatest danger (4, Insightful)

daveschroeder (516195) | more than 6 years ago | (#19648127)

You're missing one important piece of information in your description: how many false alarms does the border agent get from this system and all the other watchlist systems he has to work with? If the agent is getting hundreds of warnings that all turn out to be crap, why would he believe one good one?

Warnings on a passport to detain, immediately don protective gear, and notify DHS and CDC?

Not many.

That's why the agent's handling of this is such a big problem. And it represents another aspect of human failure in security.

Your point about false alarms is a valid one; this just isn't one of those examples.

And for anyone who is thinking about No-Fly lists or watchlists possibly falling into the "too many false alarms" category, they don't. When a name is on a watchlist, more detailed information about the person (e.g. DOB, addresses, etc.) is passed up the chain to any number of originating entities or authoritative sources. If that is the target, instructions for handling are passed back. If it isn't, the person is cleared. The reason why it's done this way is for a variety of reasons, not the least of which is so that people at airline ticket counters or fronline TSA staff don't have access to classified or private personal information (beyond what is volunteered or required to be given by the passenger) when processing passengers, to say nothing of the enormous technical complexities involved. That's why you hear stories about people not being able to "get off" watchlists. It's not "them" that's on the watchlist; it's someone who shares that - or a similar - name. That's why people who aren't actually wanted for anything whose names are on "watchlists" are always allowed to fly after the check. Persons in such situations who are frequent travelers are also able to get special documentation to solve this problem. But "they" can't "get off" the watchlist, because it's someone else who is on it, and that's what the detailed checking process confirms. Yes, it's a very, very imperfect system, but identification has always been a cornerstone principle in law for recorded history. We're using the best balance of technologies and privacy we have - really - to attempt to identify persons who should not be allowed to enter the US, fly, etc.

Re:Human element is the greatest danger (1)

djmurdoch (306849) | more than 6 years ago | (#19649207)

No, not from just this system, from "this system and all the other watchlist systems he has to work with".

If the border agent gets lots of false alarms from other watchlists, then he's not going to read any of them carefully, and he's not going to trust them.

Are the alarms he gets rated on a simple severity scale (e.g. 1 to 10)? How many alarms does the agent get that received the same rating or higher as this one did?

Re:Human element is the greatest danger (1)

Vitriol+Angst (458300) | more than 6 years ago | (#19651529)

It seems reality is flying in the face of your very well laid out facts.

It sounds great and all that all these protocols and information are available. But I doubt that a security guard who only gets a warning once in a while would ignore "wear protective gear and detain."

The Watch Lists are probably causing this problem. They need a name and a detailed discription of the suspect. So that "John Doe" doesn't get stopped. Too much detailed information on everyone is wrong, but too little information about a suspect so that you are tracking the wrong people doesn't make sense. That's why they stop 5-year-olds.

Can I guess at the system? Low-wage security guard puts in passenger name; "beep, warning!" Which he saw 500 times already today. Does he go to the manager for a detailed assesment? No, the passenger seems calm and suprised by the detention. Yes it's protocol to take every warning seriously, but his manager would have kicked him to the midnight work shift if he bothered him 500 times a day. There might have been a flag by the CDC on the cursory warning, but knowing bureaucrat, they have a lot of standard boilerplate notice, and that CDC flag would be appended to the end. So a page-full of data that you'd actually have to read and have long since learned to gloss over. Much like the standard software EULA that we all click "agree" to without noticing the clause about our first-born child.

Re:Human element is the greatest danger (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#19648757)

Oh no! The fault is of all foreign grad students working late just to intercept those e-mails... I knew the FBI was behind some important clues!

For real, now, is this incident going to produce another display of paranoia in the US and remove more privileges to foreigns? Because of course somebody has to pay for their mistakes, and it's much better if it's foreign so they can keep feeding that xenophobia.

Re:Human element is the greatest danger (1)

drinkypoo (153816) | more than 6 years ago | (#19650439)

If the agent is getting hundreds of warnings that all turn out to be crap, why would he believe one good one?

His job is to observe the warnings and follow protocol. The fact that he could not see his way through to doing this implies that he should be terminated, and hopefully, held responsible for his negligence.

If you don't want to do the job, don't take the paycheck.

Perceived status as an issue (4, Interesting)

Flying pig (925874) | more than 6 years ago | (#19648035)

What makes the Speaker case even more interesting is two factors. First, an educated professional given grave personal information behaved in a way that could possibly be interpreted by some people as irrational and maybe even putting others in danger. Second, subsequent comments reported to be by Speaker suggested that, like many lawyers, he is a very forceful individual who sees his own interests as paramount. It would be very interesting to know if the customs agent felt intimidated by Speaker and this accounted for his being allowed into the country.

In the UK, a large number of intelligence protection failures have occurred basically because of the perceived status of the perpetrators. (the best known cases being Philby, Blunt, MacLean and Burgess, all of whom were fairly upper class members of the Intelligence services.) In his fictional books based on composites of the Philby-Burgess case (A Perfect Spy and Tinker,Tailor,Soldier,Spy), John le Carré (who was in a position to know) suggested that the Intelligence services suspected or half knew that they had traitors in their midst all along, but were inhibited from acting against fellow members of the upper classes and their own community.

It would be very interesting indeed to know how far this culture extends into research establishments. It would be expected to be quite pervasive because of the esprit de corps among any professional group.

Of course, perhaps the real answer is that scientists and engineers, by their nature, are the worst people to be allowed to work on secret weapons systems because it contravenes their tendency to want to cooperate, share knowledge and see their own work published. Let's replace them all with Fortune 500 CEOs. That should result in a real peace dividend.

Re:Perceived status as an issue (2, Interesting)

morgan_greywolf (835522) | more than 6 years ago | (#19648183)

Well, not all security personnel can be swayed by someone's status. I know people who have worked airport security (prior to the TSA takeover, in fact) and you'd better believe that everyone was required to go through the screening, at least at Detroit's Metro Airport (DTW). And I mean everyone. The pilots, the flight attendants, even high-ranking politicians, celebrities, off-duty police, off-duty FBI, and other high-ranking officials. (The only people allowed through without screening were U.S. military showing proper ID, and police or FBI/ATF/etc. if they were on duty). They all complained, and the louder they complained, the more insistent the security people got.

The reason is that it boils down to training. The security folks prior to the TSA takeover were actually very well-trained -- security is actually worse with the TSA takeover than before. They were told "You don't let anyone by, no matter who they are."

But I sort of agree about scientists and engineers -- but I also know that with proper security measures and procedures in place, it's definitely possible to get even the worst offenders to cooperate with you.

Re:Perceived status as an issue (2, Funny)

pedalman (958492) | more than 6 years ago | (#19651331)

Well, not all security personnel can be swayed by someone's status. I know people who have worked airport security (prior to the TSA takeover, in fact) and you'd better believe that everyone was required to go through the screening,
Like the comedian said about these security checks:

"The good news is that you'll make your flight on time. The bad news is that you have an enlarged prostate gland."

Fortune 500 CEOs (1)

geek2k5 (882748) | more than 6 years ago | (#19651539)

Of course, perhaps the real answer is that scientists and engineers, by their nature, are the worst people to be allowed to work on secret weapons systems because it contravenes their tendency to want to cooperate, share knowledge and see their own work published. Let's replace them all with Fortune 500 CEOs. That should result in a real peace dividend.

We could make a 'great' start by putting Haliburton on the list.

I would be worried that they might outsource the research to China though. That might cause a bit of a problem security wise.

Re:Human element is the greatest danger (1)

LuNa7ic (991615) | more than 6 years ago | (#19648089)

For those who don't know, Los Alamos is a nuclear weapons laboratory in New Mexico.

How does the user control email? (4, Insightful)

msauve (701917) | more than 6 years ago | (#19648107)

In the email instance, anyone can at any time send classified information over an unclassified network.
How does the user control that? Are they all running sendmail (or some other MTA) locally on their machine, and given full control of email routing?

I'd think, like virtually every other email system in the world, that users would have their MUA configured to send outbound email via a single mail server, where all further routing is under administrative control. Do they allow connections to that server from outside?

I could understand the issue, if it was someone sending to an external, insecure email address. But the summary, article, and now you all say the problem is with which network the email was routed over. The other possibility is they were off-site, and didn't have a secure VPN connection running - buy why would a secure system not force SSL email connections? Or is sending even over VPN/SSL not considered secure?

It's just not clear how the user has the control implied here.

(or is it that they're allowed to have personal email accounts on their machines, and that's where the email was sent from?)

Re:How does the user control email? (2, Informative)

daveschroeder (516195) | more than 6 years ago | (#19648195)

How does the user control that? Are they all running sendmail (or some other MTA) locally on their machine, and given full control of email routing?

No. They just send classified information from an unclassified workstation and an unclassified email address, almost like any person would send email in any workplace. That's why some public areas have big signs that say DO NOT DISCUSS CLASSIFIED INFORMATION or watch officers answer phones with, "Good evening, Lt So-and-so speaking, this line is not secure. May I help you?" and insecure fax machines have UNCLASSIFIED decals all over them.

They're all reminders to properly handle classified information, a huge amount of which is up to the user.

And as to what you're asking, someone at LANL sent classified information from their unclassified email address on the unclassified network to someone's unclassified email address at the Nevada Test Site, another DOE facility, which is 1.) completely going over an unclassified network, and 2.) routed over the commodity internet in between.

No, you can't "accidentally" traverse unclassified, secret (L), and top secret (Q) networks. But you can use the wrong network for the wrong kind of information. There are technical controls to help prevent doing this easily, but that doesn't stop someone from manually typing up an email message containing classified information and sending it over the unclassified network.

And as to all your questions about security, yes, both ends are using secure connections to email servers, etc., but even if it was sent encrypted from one end to the other, it's not considered secure if it's going over the unclassified network, whether it's internal to a site or using the commodity internet. It would be the equivalent of you sending a message to joe.blow@nts.doe.gov right now. That's their unclassified email address, and it is "accessible" from the public internet.

That's quite different... (1)

msauve (701917) | more than 6 years ago | (#19648659)

than just sending email.

They just send classified information from an unclassified workstation and an unclassified email address, almost like any person would send email in any workplace.
It seems to me that just as serious as how the email is being routed, perhaps more so, is how classified material got on the unclassified workstation in the first place (you mentioned one possibility), and why is that not also being reported as a violation. (i.e. why focus on the email aspect, that's just a result - the root cause is classified info being placed where it shouldn't be)

Re:That's quite different... (1)

daveschroeder (516195) | more than 6 years ago | (#19648701)

Yes, if classified information is put on an unclassified terminal, that's a bad thing, but it still needs to be discovered.

And that also doesn't stop someone from simply manually typing an email message whose substance contains classified information. Not all classified information comes in the form of a document that will be an attachment...it could be just as simple as discussing a classified project or something similar, and then the recipient reporting the "breach". Without more information about what happened here specifically, we can't really tell more. I'm just trying to say that it's more than possible to mishandle classified information with any level of technical controls.

Re:How does the user control email? (1, Informative)

Anonymous Coward | more than 6 years ago | (#19648221)

I'd think, like virtually every other email system in the world, that users would have their MUA configured to send outbound email via a single mail server, where all further routing is under administrative control. Do they allow connections to that server from outside?
None of these technical considerations have anything to do with it. Classified and unclassified computing are totally disconnected. The only way classified info unintentionally gets sent on an unclassified network is if the user manually types in a piece of classified information to their unclassified system and hits 'send.' Sometimes a single word or number is classified, so it could be easy to do.

Article is Crap. here's actual press release (2, Interesting)

goombah99 (560566) | more than 6 years ago | (#19652535)

los alamos has a press release [lanl.gov] response to this. The laptop did not contain sensitive info. Indeed it would be highly unusual for a laptop with sensitive info to leave the Los Alamos site on travel. Moreover, what Los Alaoms considers "sensitive" info is a much higher standard than you would think. For example, if an employee has someones resume on their computer and that resume, despite being a public document, perhaps taken off Monster.com or Nature.jobs, has a birthdate in it, then it's treated as sensitive information. Think about that next time you hear "sensitive" info being lost at Los alamos.

Re:Human element is the greatest danger (0)

Anonymous Coward | more than 6 years ago | (#19648163)

Have you seen this jokers homepage http://das.doit.wisc.edu/ [wisc.edu] On facebook (referenced on the page) Shows as Dept. Of Homeland Security (FUD Inc.)

Re:Human element is the greatest danger (1)

vtcodger (957785) | more than 6 years ago | (#19648177)

***In the email instance, anyone can at any time send classified information over an unclassified network. It is up to the user to not do this. Granted, there are various technical and other procedures that can help prevent this, but it can never be completely avoided.***

Excuse me. Back when I was doing gubmint (DOD) work, connecting a machine with classified data stored on it to an unclassified network with unmonitored connections to the outside world would have gotten you ten years and/or $10000. Apparently the policy has changed.

And, BTW, the requirements for monitoring a pipeline to an unclassified destination were so onerous that it was hardly ever done.

There may have been good reasons for the change if there has indeed been one. But it most certainly IS possible to preclude users from inadvertantly sending classified data electronically to an unclassified network, and that used to be the norm.

Hard for me to get worked up over this. IMO, most classified data I've seen (and I've seen lots of it) shouldn't be classified. And the remainder needs better protection than it typically gets.

Re:Human element is the greatest danger (3, Insightful)

daveschroeder (516195) | more than 6 years ago | (#19648285)

Yes, there are a lot of ways to help prevent this.

But nothing stops someone from typing up an email that contains classified information and sending it from their unclass account, inadvertently or otherwise. It's not like they magically need to be on JWICS to send top secret information. That's why we segregate the networks, yes - to attempt to prevent this from a technical standpoint as much as possible.

Also, there are ways to migrate information between networks, and those can be abused or used inappropriately. There are a lot of ways this accident might occur, and it probably happens more than we'd like.

Re:Human element is the greatest danger (1)

norton_I (64015) | more than 6 years ago | (#19650261)

Well, it is certainly now relatively easy for LANL employees to communicate via the unclassified network. Lots of non-classified research there is done in collaboration with people at universities and other labs, and that requires communication.

There is a fairly good argument that that work should not be done at LANL, but as long as it is, they need realtively accessable public communication. Another consideration is that for some non-classified research, the govt. also wants the ability to classify parts of the work if they deem it necessary. Much easier if it is done in a secure national lab.

Re:Human element is the greatest danger (1)

El Torico (732160) | more than 6 years ago | (#19648237)

What happens instead is that the man is allowed to enter the United States with no further questions, and is at the border crossing for a total of less than two minutes. The agent later says he thought the warning was discretionary, that the man "seemed fine", and therefore let him proceed. Every part of the system worked: the CDC was able to properly place the man on appropriate watchlists, his passport was properly flagged upon entry, and relevant information was presented to the processing agent. Every part, that is, except the human part.

That raises an important question; was the "human part" (the Customs and Border Protection agent) fired for incompetence?

Re:Human element is the greatest danger (1)

Evil W1zard (832703) | more than 6 years ago | (#19648333)

One of the best first posts to an article ever. I 100% agree that this is really not all that interesting other than the media can sensationalize it because Los Alamos has been in the news previously... All it comes down to is an unclass laptop (and btw they will say that the laptop contained "sensitive" info in almost any case where a govt. system is stolen) and someone who typed up an email and didn't realize that something he type was classified... Or it could have even been he marked the email as class by accident and it really wasn't (have seen those 'intercepted' before as well lol).

Now for the laptop issue I vote for disc encryption to stave off loss of sensitive data. For the email issue use a system that checks content and stops info from leaving the network fully if deemed sensitive (Fidelis demo'd a product for us that does content based checks of emails, docs, IMs and etc leaving the network and kills the connection as soon as it thinks something sensitive is being sent out and generates an alert to security... Now this is more a guard against the accidental sending and not necessarily against a malicious user who can uber encrypt something with ROT-13... but its a decent solution that I would recommend to them as they are being slammed in the public right now...)

Re:Human element is the greatest danger (0)

Anonymous Coward | more than 6 years ago | (#19648825)

Secure Computing demoed thier 'Ironmail' product at my office a while back, and it also does what you've mentioned.

interesting but a bit technically inaccurate... (1)

pointbeing (701902) | more than 6 years ago | (#19648955)

...In the email instance, anyone can at any time send classified information over an unclassified network. It is up to the user to not do this. Granted, there are various technical and other procedures that can help prevent this, but it can never be completely avoided. These incidents seem rather tame, but since Los Alamos is under the microscope, every such incident will be greatly scrutinized - and sometimes blown out of proportion.

It's not possible to inadvertently email classified information off the DoD classified network - the classified network isn't connected to the internet for this reason ;-)

The user would had to have moved the data off the secure network to send it over the internet.

Re:interesting but a bit technically inaccurate... (1)

daveschroeder (516195) | more than 6 years ago | (#19649605)

It's not possible to inadvertently email classified information off the DoD classified network - the classified network isn't connected to the internet for this reason ;-)

The user would had to have moved the data off the secure network to send it over the internet.


Or, you know, simply manually typed in information that was classified.

All classified information isn't in the form of preexisting documents that would be attachments. It's actually possible to discuss it verbally or via email, you know, and still have it be classified.

I'm aware of how the segregation of the networks works. But that's like saying it's "not possible" to discuss classified information on an insecure telephone or via insecure fax. Of course it is.

Re:interesting but a bit technically inaccurate... (1)

pointbeing (701902) | more than 6 years ago | (#19650073)

The operative word in my post was "inadvertently" and I'll maintain my position that it's not possible to inadvertently email something from the classified network to an unclassified one.

Yes, the data would have had to have been either transferred to the unclassified network or duplicated on it, but 'inadvertent' implies error when in reality the user would have had to bypass several safeguards to send a classified email on an unclassified network.

nah (1)

r00t (33219) | more than 6 years ago | (#19651345)

Somebody grabs the wrong keyboard, types their email, sends it... oops.

Somebody confuses the government's classified project code word with the company's unclassified project name... oops.

Re:Human element is the greatest danger (2, Insightful)

Vitriol+Angst (458300) | more than 6 years ago | (#19651339)

With Homeland Security putting up warning flags for Hippy Muscicians, and a million other people. I can understand someone ignoring a flag from the CDC.

Any human system works best with "targeted" warnings. Yet the HS system seems designed to scan everything. It's like finding a needle in a haystack by ordering more hay.

So the man with Tuberculosis got through, because a lot of people who shouldn't be on a watch list break the system. We probably have worse security response now than before 9/11. I certainly think the quality of suspects paraded into court right now have gone down.

Is the print now link best? (0, Offtopic)

LiquidCoooled (634315) | more than 6 years ago | (#19647909)

Viewing the page on firefox displays the printer dialog.
I gather this is a side effect of peoples obsession with removing adverts.

I would rather find the link myself than have things popup and interfere with my surfing.

One mail? (2, Interesting)

suv4x4 (956391) | more than 6 years ago | (#19647923)

In one, an e-mail containing classified material was sent over the open Internet rather than through the secure defense network.

So he sent one mail and it was intercepted? Damn, this puts the "insecurity" of email communication in an entire new light.

Re:One mail? (1)

HalifaxRage (640242) | more than 6 years ago | (#19647971)

Of course, one could argue if secure/classified information should be sent over an inherently insecure network. Is this not why VPN was developed?

Re:One mail? (1)

daveschroeder (516195) | more than 6 years ago | (#19647995)

So he sent one mail and it was intercepted? Damn, this puts the "insecurity" of email communication in an entire new light.

No, there are probably plenty of other instances of classified information being sent over unclassified/insecure networks.

This is just one that was identified.

And what probably occurred is that the recipient realized what happened, and reported it.

(But, by your last statement, do you really think the national laboratories shouldn't try to prevent classified information from being sent over unclassified networks from official email accounts while at work, even if it meant some form of electronic monitoring? Not sure what you're getting at, there.)

Re:One mail? (1)

pallmall1 (882819) | more than 6 years ago | (#19648337)

And what probably occurred is that the recipient realized what happened, and reported it.
Or the recipient was expecting it and had been instructed to report it when recieved. How better to make the Iranians think it's genuine information regarding ancillary nuclear weapons components? The CIA slipped bugs to Soviets [msn.com] before, and there have been reports that the US and European countries have been doing the same kind of thing to Iran to slow their nuclear program.

Re:One mail? (1)

dour power (764750) | more than 6 years ago | (#19648133)

So he sent one mail and it was intercepted? Damn, this puts the "insecurity" of email communication in an entire new light.
There is no indication in TFA that the email was "intercepted" by anyone. The sender distributed an email containing classified info to multiple recipients over the public Internet and someone (probably one of the recipients) reported the violation. Of course, a copy of the message might very well be sitting on a non-gov't server somewhere. Maybe the sender actually encrypted the message, but I wouldn't bet on it.

An employee took his lab laptop on vacation (2, Funny)

niceone (992278) | more than 6 years ago | (#19647925)

It is a real incitement of the current system that this can still happen in this day and age. After all, Mission Impossible had the whole problem of off-site IT equipment solved decades ago with simple self-destruct technology.

Re:An employee took his lab laptop on vacation (1)

Timesprout (579035) | more than 6 years ago | (#19647977)

The same should apply to humans. If you are in possession of sensitive knowledge your head should explode if you are asked inappropriate questions by strangers, or at the very least nanobots in your skull should lobotomize you to the level of drooling idiot.

Re:An employee took his lab laptop on vacation (1)

clickety6 (141178) | more than 6 years ago | (#19647989)


yeah, but that was before modern miniaturization of devices.

It's alright for a large tape machine to slowly self destruct in a phone booth, but don't nobody want their Palm Pilot exploding just after putting in their pants' pocket!

Re:An employee took his lab laptop on vacation (1)

daveschroeder (516195) | more than 6 years ago | (#19648029)

A human, especially one with inside access, can always subvert most any security plan. [slashdot.org]

It's not really an indictment (which is what I think you meant to say) of anything. I'm not sure why this is modded up; there's no reason for a laptop that doesn't even have classified information to be set to self-destruct if its departure isn't approved, and unless every single email is manually checked, classified information will always be able to be sent over unclassified networks. In fact, someone with knowledge of classified information could go home, and send it from a Yahoo account. This instance just happened to be a legitimate accident. The only thing we can do is continue to constantly educate users, try to "make security easy", and have real a real policy and real repercussions when security is violated.

Re:An employee took his lab laptop on vacation (1)

niceone (992278) | more than 6 years ago | (#19648105)

Heh, I'm not sure how it got modded interesting... it was a joke!

Re:An employee took his lab laptop on vacation (1)

GovCheese (1062648) | more than 6 years ago | (#19648561)

Since June of last year, it has been OMB (Office of Management and Budget) policy (OMB M-06-16) for all federal agencies to encrypt laptops if they carry sensitive data. Most federal agencies have extended the definition of sensitive data to any type of personal data. Smart federal agencies are simply requiring all/all mobile devices be fully encrypted. Department of Energy has smart people working for it, but smart guys often consider IT restrictions to be impediments to their work, which of course, is not smart at all.

Re:An employee took his lab laptop on vacation (2, Insightful)

suv4x4 (956391) | more than 6 years ago | (#19648121)

After all, Mission Impossible had the whole problem of off-site IT equipment solved decades ago with simple self-destruct technology.

Right. We should make the laptops constantly read some sort of signal that fades away out of the pentagon, for example.
If the signal fades away, the laptop explodes.

Now combine this with the recent news about NSA brownouts, and we're effectively decimating our military in few minutes.
Or how about a laptop battery fire causing the explosive to go off.

Who would walk with a ticking bomb in his suitcase? Get real. This is not a movie where everything is scripted and accidents don't happen, just like that, for no reason at all (unless there's a very thick plot around the accident, and it involves aliens).

If I was given the task of making sure no one even brings his laptop out of the lab, I'd make sure two things:

1) no regular laptop ever gets inside the lab (by making rules clear, and checking for devices on entry).

2) make the in-lab laptops and devices so ridiculously branded with military signs on their case, and use so ridiculous colors, that anyone would be immediately spot such a device in the wild (and hence no one would dare to put it out). And of course checking for such marked devices on lab exit.

It's not a perfect solution, but a step in the right direction at least.

Sensitive nature (1, Interesting)

suv4x4 (956391) | more than 6 years ago | (#19647947)

The machine reportedly contained government documents of a sensitive nature.

I for one am sick of hearing about the military's sensitive nature. What was the document containing, poems about the war in Iraq or something?

We all know 90% of those documents have no reason to be hidden from anyone, except to hide the abuse and money laundering that's going on at furious speeds over there.

Re:Sensitive nature (0)

Anonymous Coward | more than 6 years ago | (#19647999)

We all know 90% of those documents have no reason to be hidden from anyone, except to hide the abuse and money laundering that's going on at furious speeds over there.

Get a grip on that tinfoil beanie. There's a lot that can be sensitive, from Convoy paths, to convoy contents (which trucks are moving munitions vs which are moving lumber) Not to mention patrol paths, personal info, etc. Just because you don't care doesn't mean our enemies don't either. While the current administration may have created a policy of over-classifying everything, it does not follow that almost everything hould be freely available.

Re:Sensitive nature (5, Insightful)

suv4x4 (956391) | more than 6 years ago | (#19648025)

Get a grip on that tinfoil beanie.

I'm not a fan of conspiracy theories, but if you honestly believe their strategy is competent and it's money wise spent, then I better be a tinfoil beanie.

Just because you don't care doesn't mean our enemies don't either.

Don't forget: they're not "our enemies". They're just the US military/govt current targets.

Why on Earth would Iraq be your enemy as a US citizen. What did Iraqi do to you or your US buddies. The only thing happening in Iraq right now is a bunch of citizen wars, caused by the invasion by USA in there. Saddam is dead, there weren't WMD-s in there, and Iraq had no connection to the 9/11 attacks.

I don't like how short people's memory about those things is.

Re:Sensitive nature (1)

Broken scope (973885) | more than 6 years ago | (#19648071)

So does that mean we endanger our soldiers even more? His point was that there is stuff that is sensitive and that there are people who want to know this stuff. Some surprisingly mundane shit can go a long way when planning against an opponent.

Re:Sensitive nature (1)

Dancindan84 (1056246) | more than 6 years ago | (#19648601)

The only thing happening in Iraq right now is a bunch of citizen wars, caused by the invasion by USA in there.
Sorry, but fighting over there has been going on since long before the US was a country. I'm sure having foreign military in the area isn't making them lay down their weapons, but they'd be fighting regardless. Thinking it's caused by the US presence is vain at best.

Re:Sensitive nature (2, Insightful)

Hatta (162192) | more than 6 years ago | (#19651005)

Sorry, but Iraq was relatively stable with Saddam Hussein in power. Before the US invasion Sunni's and Shiites lived in the same neighborhoods with few problems. There had never been a suicide attack in Iraq before the US invasion.

The middle east is not one amorphous entity. Some parts of it, say Palestine, really do have a long tradition of violence. The Ba'athist government was a stable, secular dictatorship which did commit atrocities, but it was nothing like the full on neighbor vs neighbor civil war which the US instigated.

Re:Sensitive nature (1)

Ms.Otaku (1065768) | more than 6 years ago | (#19649817)

You're all paranoid. "Government documents of a sensitive nature" could just have easily been:
a) the guy's own non-classified research
b) His address book with the phone numbers of his Lab buddies
c) Something with his social security number on it

All those things qualify as a government document of a sensitive nature, plus they're a heck of alot more likely than Iraqi convoy information.

Re:Sensitive nature (4, Interesting)

Vitriol+Angst (458300) | more than 6 years ago | (#19651245)

It turns out that a lot of the Security breaches at Los Alamos in the past were mistakes of the FBI. Due to a database reporting error, they "lost" documents that didn't exist, and still others were recovered inside the area.

So the "Los Alamos security breach" stories got big headlines and the "FBI screws up" got little headlines. Maybe there is a pattern there. As the newly privatized single-source nuclear weapons manufacturing company for the USA had a walk-out of 500 security guards over 36-hour work shifts and poor security protocols that didn't make headlines.

I think there is a dangerous move to privatize a lot of key military functions. And the FBI seems to bring up a lot of accusations before verifying the actual security risk.

Couple this with their seeming lack of interest in securing laptops and databases of American citizens. The rates is about a few million records a month. No biggie if some third party has your SSN right? The government can't have a Total Information Awareness database, but it appears that a private company can. Check out what John Poindexter (Iran/Contra felon) is still up to these days. Who knew he was such a great database expert?

Los Alamos is now privatized, and the good old "employee takes laptop with sensitive files and gets it stolen" oops is happening at rapid pace. Anyone want to be whether THAT particular employee gets reprimanded? My bet they will get a promotion. As does everyone who seems to fail upwards in this current administration.
http://www.fas.org/blog/secrecy/2007/05/los_alamos _blocks_researcher_a_1.html [fas.org]

Stolen once, but how many more times? (0)

Anonymous Coward | more than 6 years ago | (#19648043)

So a laptop was stolen once. But there have likely been a whole lot more security breaches that no one (including execs) have heard of because the laptops weren't lost. The information has still been available to way too many individuals.

Little mention of countermeasures (2, Insightful)

Pointy_Hair (133077) | more than 6 years ago | (#19648167)

TFA mentions the missing laptop was equipped with an encryption card (highlighting the loss of the card versus noting it's function). It doesn't mention whether the "sensitive" data on the device was protected with encryption. Likewise, there's no mention about the stray e-mail either. Someone who routinely works with classified data will usually be a routine user of encryption tools to protect communications.

Fact is that Los Alamos is a juicy media target and they will conveniently omit details like that to sell headlines.

Or the violators were pointy-haired managers that thought that high tech encryption stuff was only for the gearheads in the white coats.

Mod Parent Thoughtful (1)

mpapet (761907) | more than 6 years ago | (#19648921)

I'm more interested to know who's got it in for Los Alamos.

Of all the people employed by the government in this line of work, there's got to be many, many more cases just like this out there. How is it possible that this *one* government funded R&D facility has security problems that boil down to human error rather than process?

I have a feeling the others have the same issues, except this one is someone's punching bag. That someone is powerful enough to get the gears of government working against Los Alamos. Maybe there are too many Democrats in New Mexico?

Re:Little mention of countermeasures (1)

Ms.Otaku (1065768) | more than 6 years ago | (#19649917)

The laptop was not equipped with an encryption card. The poor guy's password-generator card for checking his work email was with the laptop and was also stolen. It's the same sort of card used by business everywhere, and is only export controlled because the US government has really really strange rules about encryption.
This is just another example of sensationalist news reporting by 'journalists' who can't be bothered to do research beyond a bit of googling!!

Work laptop & vacation (2, Insightful)

RedneckJack (934223) | more than 6 years ago | (#19648203)

Why would anyone in their right mind take their work laptop on vacation especially overseas ? Then again, this is America, a live to work society.

Even though I work in Corporate America, when I go on vacation, I want nothing to do with work during that time even though executive management gets upset that I don't want to be available for work related items such as calls in my absence.

I do take a laptop with me on vacation but it is for personal use such as personal e-mail, process digital pics, surf the web such as getting insight on a vacation spot.

Re:Work laptop & vacation (0)

Anonymous Coward | more than 6 years ago | (#19652275)

He took it on vacation probably because he wouldn't have the time to do a "vacation" without being able to do work as well.

The companies most people work for at these places have figured out how to hyper-maximize how much work they get out of a salaried employee, to the extent that they basically have to work during a lot of their "free" time in order to meet deadlines. They keep eliminating positions while upping the workload of who is left over, in order to save costs while maximizing profit. They know how to get employees to basically work literally all of their waking hours. This situation is going to get worse, and more things like this will happen and more accidents will occur due to employee fatigue.

Text of the email (3, Funny)

Timesprout (579035) | more than 6 years ago | (#19648211)

Hi Hon,

I'm going to be late home from the lab tonite so have dinner without me, we are just putting the finishing touches to the doomsday device so we can test it tomorrow.

Love you
xxxxxx

Something's still fishy here... (1)

pointbeing (701902) | more than 6 years ago | (#19648395)

After reading TFA I'm still a bit confused about how the email got off the SIPRNET (secure DoD network for classified material) and onto the NIPRNET (regular unclassified DoD network that is connected to the internet).

SIPRNET computers don't have internet access - or access to any other network. It appears to me someone would have to have taken the data out of the vault and composed it on an unclassified PC to send it anywhere off the secured network.

Re:Something's still fishy here... (0)

Anonymous Coward | more than 6 years ago | (#19648593)

Yes, it would have to be physically transferred from a classified system to unclassified. To make things more interesting, classified systems have floppy drive locks and most of the time have security tape over USB ports. There is a paperwork trail required to pull info off a classified system. In short, this was not "human error" or an accident. This was deliberate laziness.

 

Re:Something's still fishy here... (0)

Anonymous Coward | more than 6 years ago | (#19649627)

Former DoD lab engineer here...and I am as confused as you are. You really don't "accidentally" send something over the unclass net that you meant to send via SIPRnet, there's too many deliberate steps that need to be taken to do something like that. I wonder if what was meant was simply that material was sent over the unclass net that shouldn't have been; i.e SIPRnet should have been used.

Captcha is "sympathy", of which I have very little for the people who did this.

Re:Something's still fishy here... (1)

redtail (265571) | more than 6 years ago | (#19650453)

This should be mod'd up, it is the only post that gets close to the email issue. The fact that the email was sent over the internet is colossaly besides the point. How did the information get onto a computer that has an internet connection? It suggests people are doing classified work on unclassified computers. Not a "mistake". Rather it is a deliberate choice.

Re:Something's still fishy here... (0)

Anonymous Coward | more than 6 years ago | (#19650695)

I was thinking about this as I read the article as well. The scenario that seems most logical to me is that the information in the e-mail was not a copy-paste or an attachment, but rather a new composition sprouting from the author's working knowledge of the field.

In other words, the medium used to transfer the knowledge from a secure system to an open system was likely a brain.

Re:Something's still fishy here... (0)

Anonymous Coward | more than 6 years ago | (#19651353)

The email thing happens occasionally at my office. Sometimes, there are certain numbers that are classified in a particular context, but the other information is not. For instance, someone who is working on new type of laser may be able to talk about the laser (the knowledge of the technology is unclassified), as long as they don't disclose certain properties of it (for instance, its specific power and waveband may be classified).

I frequently see situations where a particular classified value could be derived from 3 other values. Typically, only one or two of those three values will be classified. If you work a lot with those numbers, it can be easy to forget which one is which when you're emailing a coworker to clarify information.

Another example is resolution of data. In the past, I have seen that certain data is classified only if specified to a certain number of significant digits. Or, certain dates may be classified, but the month of the event is unclassified. Or specifying any more accurately than the Quarter may be classified. You can see how uncertainty of classifications can sneak into people's heads.

Re:Something's still fishy here... (1)

cow ninja (306125) | more than 6 years ago | (#19652065)

Looks like he sent an email and wrote "highly classified" on it. I don't think he transfered data from SIPR or NIPR.

I problem I had while working with SIPR was people would bring in unmarked thumb drives and use their unclass email to transfer the data. We just educated the users and this problem dissolved.

Re:Something's still fishy here... (1)

bellers (254327) | more than 6 years ago | (#19652329)

DoE doesnt use SIPR/NIPR. They've got their own deal, and their own clearance system.

they arent DoD.

The user in question probably had both class. and unclass. systems sitting on his desk, and typed too much information from one screen into the other one.

It happens.

It's Also Worth Noting... (2, Interesting)

NeverVotedBush (1041088) | more than 6 years ago | (#19648461)

That quite a few senators and representatives, in this time of tighter money, see the Los Alamos budget as a juicy target. The more they can keep Los Alamos in the news and hold it up as "incompetent" to handle security, the better chance they have of yanking funding and redirecting it to whatever their pet projects are in their own states. Not that it matters what Los Alamos does to enhance the Nation's security - little things like the chem/bio sensors used at the Salt Lake City Olympics, inventing a lot of the new DNA techniques, work on alternative energy, fighting terror in many ways, and yes, even making sure that the USA has reliable nuclear weapons. Check their web page. They do a lot for the country.

But by yanking funding and threatening to "close the place down", those senators and representatives are risking a valuable National resource. It's their choice I suppose. But I don't think this continued beating down is very productive.

Los Alamos has name recognition. It makes great headlines every time anyone even takes a dump out there.

FFS (1)

Colin Smith (2679) | more than 6 years ago | (#19648493)

http://www.truecrypt.org/ [truecrypt.org]

People should be fired/prosecuted for negligence these days.

 

Their BOSS should be fired / jailed (0)

Anonymous Coward | more than 6 years ago | (#19649031)

In these such cases of negligence, where an employee "loses" custody of important data, then their boss should be the one who gets fired / prosecuted / jailed. Only then will the people who are in charge of running the show get truly serious about enforcing strict and proper measures regarding the security of sensitive data.

you call this security .. (1)

rs232 (849320) | more than 6 years ago | (#19648539)

"Each user will be assigned a login ID and password for the Windows NT [usmc.mil] system"

"The SIPRNET workstation may be used to download files from the SIPRNET. Anti-virus software has been installed and runs as a TSR program .. Any files downloaded to floppy or printed must be entered into the Automated Security Control Program (ASCP) by Document Control personnel"

Re:you call this security .. (1)

greyguppy (413383) | more than 6 years ago | (#19648747)

When I worked for the Inland Revenue (UK), we had vast numbers of NT4 machines, both server and workstation being rolled out to replace the UNIX servers and Win311 workstations.

Because of the size of the order, and importance for confidentiality, we recieved a "custom" version of NT. It had a different build number, a replacement GINA, and some other security features added in. If microsoft are prepared to do that for the UK Tax man, I would have thought that the US Military would get full sourcecode to audit, and then build themselves. Any bugs would probably be fixed even after NT4 support officially ends.

At the end of the day Microsoft is still a business like any other. So long as what you want is legal, there will be a price at which you can get it.

I'd also say the reason they haven't upgraded, is because the systems will be fully audited, and well maintained. Upgrading to 2k3 and Vista will just open up potential security holes left right and center.

Re:you call this security .. (1)

Sobrique (543255) | more than 6 years ago | (#19649669)

Remembering back to having to do Secure network accreditation (in the UK), there's actually a very short list of operating systems that have an EAL Evaluation Assurance Level [wikipedia.org] certification. Because it's a bitch to go through the OS exhaustively, and check things, and therefore expensive. A few years back, the choices we had were Solaris 2.6, and NT 4 SP 3 I think it was.

No where near the most up to date at the time. (We were running Solaris 8 and 9 elsewhere on site, and NT had already been removed and being replaced with 2000). Now it seems, that Windows 2000, SP3 has been through the process, but that's with XP in the home, and Vista on the horizon.

Now, we _knew_ there was stuff that later patches had fixed, exploit/bug wise. However it was important to consider _proven_ EALs of software, before they could be used.

Now, sometimes it's actually more effective to assume a 0 EAL for the OS, and rely on other barriers to entry, to secure the information necessary. But with all such things, you need to think very hard in how you'll be constructing your network, based upon the sensitivity, impact and quantity of the protectively marked material you'll be handling.

Mostly though, you have to rely on user education and responsibilty - very simply, it's extremely difficult to 'secure' a system to the point where data export is impossible. It's significantly easier to make it _nearly_ impossible to do accidentally.

High security, value, and risk though, mean a lot of precautions _have_ to be taken. There's all kinds of nasty things that happen to a person, who feels they 'know better'.

Crypto? (2, Interesting)

Lethyos (408045) | more than 6 years ago | (#19648693)

Is it a gross simplification to state that using encryption would have rendered both mistakes harmless?

Is this really so hard for IT departments to set up PGP or one of its clones? Same goes for disk encryption? I have argued with people up and down who claim this is too hard to deploy, but I say that something is better than nothing, even if it nothing more than checking “encrypted folder” on your NT system.

These tools have gotten so easy to use these days and while I understand this is largely a social and policy problem, there is plenty of low-hanging fruit that can help mitigate the damage.

Re:Crypto? (1)

Chris Mattern (191822) | more than 6 years ago | (#19649911)

[blockquote]
Is it a gross simplification to state that using encryption would have rendered both mistakes harmless?
[/blockquote]

No where in the story does it say the data on the laptop was *not* encrypted. In fact, the statement by one director that the user would've been granted permission to take the laptop to Ireland if he'd asked makes me believe is *was* encrypted.

Chris Mattern

27-18-28 (1)

hoto0301 (811128) | more than 6 years ago | (#19648909)

You'd think that Los Alamos would become a safer (pun intended) place for sensitive materials after Feynman left.

Puny humans... (-1, Redundant)

Wayne247 (183933) | more than 6 years ago | (#19649071)

Humans will always be a very big threat to any security system. It's hard enough keeping employees from installing BonziBuddy at work, what's to prevent them from inadvertently sending an email via the wrong network? Bringing a laptop on vacation was quite stupid, but the admins not ENCRYPTING the hard drives are just as dumb.

The hackers !!! (1)

DeadDarwin (1050498) | more than 6 years ago | (#19649177)

nerd looking guy: damn i cant seem to break the security stupid boss: you have 3 min. nerd: I need a pen to bite..thanks...awesome...***password accepted***. and the password is 'ithoughtiwasafuckingspy'

Laptops are not and will never be secure! (3, Insightful)

supersnail (106701) | more than 6 years ago | (#19649875)

Its an axiom in security that if someone physical access to the hardware they can do what they like.

Given the ease of use and portability of a modern laptop you may as well just post a copy of the data to anyone who might be interested.

Stolen laptops are actually the lowest risk area, given that most laptop theives are after the shiny hardware and its so rare to come accross data with any resale value that they probably dont even look. A far greater risk for a high security installation like Los Alamos is someone borrowing a laptop for long enough to install some worm/trojans/keyloging software which the dedicated sceintist can then physically carry through all those firewalls back into the lab.

Any sane security profesional would just plain ban them from a set up with the security requirements of Los Alamos.
The best solution would be to have all hardware in a locked server room and only access them via "dumb" terminal servers. Plus a private network with no physical connection to the outside world.

   

Dirty email is not as ludicrous as it sounds (1, Redundant)

mathimus1863 (1120437) | more than 6 years ago | (#19651681)

The email thing happens occasionally at my office. Sometimes, there are certain numbers that are classified in a particular context, but the other information is not. For instance, someone who is working on new type of laser may be able to talk about the laser (the knowledge of the technology is unclassified), as long as they don't disclose certain properties of it (for instance, its specific power and waveband may be classified).

I frequently see situations where a particular classified value could be derived from 3 other values. Typically, only one or two of those three values will be classified. If you work a lot with those numbers, it can be easy to forget which one is the classified value and drop it in an email to a coworker to clarify information That would be a security violation.

Another example is resolution of data. In the past, I have seen that certain data is classified only if specified to a certain number of significant digits (usually >1). Or, certain dates may be classified, but the month of the event is unclassified. Or specifying any more accurately than the Quarter may be classified.

Not to mention you can be told a classified number and the person forgets to tell you its classified. This happened recently. The guy who heard it dropped the number in an email and got a security violation. You can see how uncertainty of classifications can sneak into people's heads.

Humans are the problem... (1)

jhRisk (1055806) | more than 6 years ago | (#19651993)

... but it's not just the end user. In my role I look at my IT team just as much as the end user as they're just as human. There's nothing more hilarious to me than "secure" DoD operations with dual workstations (for confidential vs. connected to the public Internet and therefore general use) that are all locked down but then don't prevent something as silly as unplugging a USB printer to then use a thumb drive. There's always technology or room for innovation to prevent such human errors via checks & balances systems. In this case, how did that file make it onto an unsecured network since it's so easy to prevent through file-tagging technologies and a number of other almost full-proof methods? Even if not "classified" and only deemed "sensitive" why the hell was it on a laptop period? Simple, if it's sensitive and we don't want just anyone seeing it then don't let some idiot take it on a laptop to another country while he's there for pleasure.

Do your due diligence and lock down environments to appropriate security levels. Put in processes that may decrease productivity but maintain these levels. Grow yourself a backbone and fight the political bullshit that seeks to subvert security. If you're faced with a solution that has security issues recommend changes that correct them even if it requires more resources or makes it more cumbersome for the end user. If you're fired for standing your ground and refusing to relax security to inappropriate levels then that same asshole would likely fire you for the first security incident created as a result of it. Hence you're better off somewhere else...

PS That asshole that wants his way regardless of security is the other weak link

Biometrics needed. (1)

jshriverWVU (810740) | more than 6 years ago | (#19652309)

We really need to mandate that any computer used with sensitive material, laptop on the road or desktop at the office, has an encrypted hard drive and a biometric reader with BIOS level support so you can't even boot the thing w/o reading your fingerprint/eyes/etc.

As for the email, I'm surprised the even have a open link to the internet on a machine with sensitive information.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...