Dozens Of Sensitive Documents That May Compromise Troop Security Found Available To Public (http://www.cbsnews.com/stories/2007/07/11/terror/main3047825.shtml)

(AP) Detailed schematics of a military detainee holding facility in southern Iraq. Geographical surveys and aerial photographs of two military airfields outside Baghdad. Plans for a new fuel farm at Bagram Air Base in Afghanistan.

The military calls it “need-to-know” information that would pose a direct threat to U.S. troops if it fell into the hands of terrorists. It's material so sensitive that officials refused to release the documents when asked.

But it's already out there, posted carelessly to file servers by government agencies and contractors, accessible to anyone with an Internet connection.

In one case, the Army Corps of Engineers asked the AP to promptly dispose of several documents found on a contractor's server that detailed a project to expand the fuel infrastructure at Bagram — including a map of the entry point to be used by fuel trucks and the location of pump houses and fuel tanks. The Corps of Engineers then changed its policies for storing material online following the AP's inquiry.

But a week later, the AP downloaded a new document directly from the agency's own server. The 61 pages of photos, graphics and charts map out the security features at Tallil Air Base, a compound outside of Nasiriyah in southeastern Iraq, and depict proposed upgrades to the facility's perimeter fencing.

“That security fence guards our lives,” said Lisa Coghlan, a spokeswoman for the Corps of Engineers in Iraq, who is based at Tallil. “Those drawings should not have been released. I hope to God this is the last document that will be released from us.”

WTF??? Idiots leave classified documents open to anyone, without even a password to protect them! I have three important questions:

1. What kind of government gives F*****G RETARDS access to classified information and lets them post it?

2. Why can't the government require these same F*****G RETARDS to show some minimum standard of computer skills and, if necessary, get the training needed to know how to protect these documents?

3. And the most important question of all:

WHY DO THE U.S. GOVERNMENT AND ITS CONTRACTORS HATE AMERICA AND ITS TROOPS???

That's quite shocking. I hope someone is charged.

-Gumboot

If any of this material causes any of our people to die, someone should be shot.

To any US law experts, if it were proved that enemy forces had gained access to this data via the websites, could this constitute treason?

-Gumboot

Shemp:
This is the US Army Corps of Engineers you are talking about. Or as they like to refer to themselves these days - The Corps of Contractors. The people who could do anything retired a long time ago. Mostly what remains are box-checkers and bureaucrats.

Privitization by moronization.

Looks like the day (EDT) posters don't give a rat's azz about this.

Shemp:
This is the US Army Corps of Engineers you are talking about. Or as they like to refer to themselves these days - The Corps of Contractors. The people who could do anything retired a long time ago. Mostly what remains are box-checkers and bureaucrats.

Privitization by moronization.

It isn't just the Army Corps of Engineers:

Among the documents the AP found were aerial photographs and detailed schematics of Camp Bucca, a U.S.-run facility for detainees in Iraq. One of the documents was password-protected, but the password was printed in an unsecure document stored on the same server. They showed where U.S. forces keep prisoners and fuel tanks, as well as the locations of security fences, guard towers and other security measures.

...

The information about Camp Bucca and Bagram Air Base was found on the FTP server of CH2M Hill Companies Ltd., an engineering, consulting and construction company based in Englewood, Colo.

Christopher Freeman believes he may have witnessed someone hunting for secrets on FTP servers. Freeman describes himself as “just a slightly above-average computer user,” not a programmer or a hacker.

While working on an internal security review at his job with the city of Greensboro, N.C., he watched as a computer with an electronic address from Tehran, Iran, accessed the city's server and downloaded a file that contained design drawings for the area's water infrastructure.

While there's no way to know if there was malicious intent behind the download, Freeman said, “when you think of Iran, you think of all the bad stuff first.”

...

“This is a treasure trove for terrorists,” Freeman said. “They can just waltz in and browse.”

What this is really about is there are a lot of people out there posting sensitive information accessible via the internet who aren't even smart enough to take the minimum precaution of protecting it with a password. It isn't about training, procedures and protocols; it's about not having a GODDAMN F*****G BIT OF COMMON SENSE!

What this is really about is there are a lot of people out there posting sensitive information accessible via the internet who aren't even smart enough to take the minimum precaution of protecting it with a password.

In a large scale password protection is largely meaningless. People will either use weak passwords or write the darn things down.

In a large scale password protection is largely meaningless. People will either use weak passwords or write the darn things down.

I know that, but they could at least TRY. These people don't even do that much. And why the hell do these documents need to be available via internet anyway?

Dozens Of Sensitive Documents That May Compromise Troop Security Found Available To Public (http://www.cbsnews.com/stories/2007/07/11/terror/main3047825.shtml)

WTF??? Idiots leave classified documents open to anyone, without even a password to protect them! I have three important questions:

1. What kind of government gives F*****G RETARDS access to classified information and lets them post it?

2. Why can't the government require these same F*****G RETARDS to show some minimum standard of computer skills and, if necessary, get the training needed to know how to protect these documents?

3. And the most important question of all:

WHY DO THE U.S. GOVERNMENT AND ITS CONTRACTORS HATE AMERICA AND ITS TROOPS???
Info security in the computer age is, quite frankly, hampered by the tension between policy, intention, and the need to spread information to get a job done. Tied to that is a dream of going paperless. The training and policies you mention are embodied in the myriad of regulations covering handling classified material, particularly on networks, but the variation of computer literacy is immense. So too is the level of "clue" that training tries to address.

As to some contractors, if it profit, none dare call it treason. :p

That said, people who fail to identify EEFI and thus properly mark documents, and electronic media, are indeed breaking the security rules at the foundational level. Handling classified info is bloody inconvenient. People who put FOUO on unclass servers are, IMO, idiots. People who fail to properly classify stuff are bigger idiots.

The kicker is the whole access problem, and the immense slow down in vetting and awarding appropriate clearances to personnel who need them for certain tasks, a problem that was immenselly hurt by the policy change and lack of resources assigned in the wake of 9-11. I won't go into my rant on how my clearance was buggered for months, not worth the effort.

The amount of info routinely leaked to the press, day in and day out about operations, means, and methods from government sources still amazes me. The continuing news coverage that details how, for example, local Iraqi's help the Coalition (only to turn up dead a few weeks later, though the news fails to report it) I assess that the OPSEC effort in the WoT has been broken roughly since it began.

And yes, Shemp, it's getting people killed: Americans, and people who are helping them. It only takes one careless person to make a significant breach, one USB device lost, one guy sending a video from a mission to a friend to post on the web . . .

DR

It must be the smoke in the air with all the fires around here in Reno, but dang, I have to agree with DR. I've worked IT for over 25 years and the first tasks I usually have to perform on new contracts is to implement standards (including security). People still put their password(s) on a postit note and put it on their monitors.

The shear size and complexity of the military is also a big issue.

Charlie (hire me, I'll fix it) Monoxide

From my agency's website (lightly edited):

IG audit: employees continue to share password info
The IG recently completed a review to evaluate the susceptibility of agency employees to "social engineering" attempts. Social engineering is the term for the ploy that potential computer hackers use to get you to reveal personal system information such as your password or user name. Sixty percent of the 102 employees contacted during the review "changed their password to one provided" by IG auditors posing as agency computer support staff. If these attempts had been real acts of social engineering, agency systems and data could have been jeopardized.


Keep in mind, every single employee is required to take annual IT security training and certify that he has taken it and understands it.
:hb:

I really don't think this is at all far-fetched (http://www.dilbert.com/comics/dilbert/archive/dilbert-20070614.html):
http://www.dilbert.com/comics/dilbert/archive/images/dilbert2007305500614.gif

Any IT security person who is really serious about security (Ie they really want to keep things secure rather than mearly appearing to do their job) should not be implementing a system based on passwords.

Passwords are not secure and as more people use them they become less so.