• ray10k (unregistered)

    Reminds me a little of the Furby scare a few decades (or so) ago, when some 3-letter-agency added Furby's to the list of forbidden items at their buildings due to them being advertised as "learning." Turns out the toys just had a pre-defined list of words they could use, but hey. Better safe than sorry.

  • LCrawford (unregistered)

    Wait, they weren't allowed to use a computer with a spreadsheet?

    Bill's unexpected response would have been "Sonny, I checked one of your floppy disks and found that it wasn't encrypted using Bitlocker"

    (Anachronism warning).

  • bvs23bkv33 (unregistered)

    Schboing, Schnorthrop, Schgrumman, Schairbus and Schtupolev

  • kurkosdr (unregistered)

    I wouldn't be surprised if the computers had access to BBS and email. I believe the Calculator Inspection Officer knew the absurdity of this policy, but he had to play through anyway.

  • (nodebb)

    Once I worked for a research institute and we had a multiple day meeting with and in military company. Very strict security. We have to hand out our mobiles. In the meeting room, I saw everybody playing with there smartphone. So, I ask somebody about this security guideline. The answer was: You have really handed over your mobile?!? Just don't show them..

    Addendum 2019-02-28 07:20: Edit: Guess, what I did the next days..

  • (nodebb)

    This is the thing people fail to realize. If your job depends on there being a problem, you'll make damn sure everybody thinks the problem is real. You'll say things like, 97% of calculator inspectors agree that calculators are very dangerous.

  • Another Lurker (unregistered) in reply to LCrawford

    The small company I work for was recently purchased by a much larger Corporation. I now must take an annual online lesson (with quiz) on Information Systems Security, which informs me that (mind, I have to badge into my office area) I must never leave my laptop unsecured by a cable lock, and my hard disk must be encrypted.

    This might be a good idea if I had confidential client, PII or financial information on my laptop, but there's none of that, perhaps a couple of drafts of boring engineering analyses. And I can't wait to learn whether they are going to let me continue to have local administrator access to install my own utilities, etc, which I do once or twice a month when I have to access some new gadget or tool.

    I know, better safe than sorry, and you can't really argue with their points, but for the past 15 years, we have managed without incident, to survive without Bitlocker and cable locks, so one does wonder how significant the risk is. Our laptops do, by the way, have tracking software and remote wipe capability, something I can't argue with.

  • Another Lurker (unregistered) in reply to LCrawford

    The small company I work for was recently purchased by a much larger Corporation. I now must take an annual online lesson (with quiz) on Information Systems Security, which informs me that (mind, I have to badge into my office area and my laptop only leaves the building when I work at home, which is rare) I must never leave my laptop unsecured by a cable lock, and my hard disk must be encrypted.

    This might be a good idea if I had confidential client, PII or financial information on my laptop, but there's none of that, perhaps a couple of drafts of boring engineering analyses. And I can't wait to learn whether they are going to let me continue to have local administrator access to install my own utilities, etc, which I do once or twice a month when I have to access some new gadget or tool.

    I know, better safe than sorry, and you can't really argue with their points, but for the past 15 years, we have managed without incident, to survive without Bitlocker and cable locks, so one does wonder how significant the risk is. Our laptops do, by the way, have tracking software and remote wipe capability, something I can't argue with.

  • Wizard (unregistered)

    I guess alot of people haven't worked in the security sector etc and are simply namby-pamby website scripts. This no surprise at all to anyone with any security experience. I've been in tenders processes where you provide a demo and effectively write off all the equipment for the tender as you have to present a working system in a secure facility and the equipment goes in and doesn't leave. I worked on a system that included IP attached CCTV cameras and the same with them - in they go but they don't leave as they have memory.

    On phones? Get used to having a basic phone for those site visits.

  • Scruffybeard (unregistered)

    You say "era of Sneakernet-type transfers" as if that was something happening way back in the past. I can assure you, this is still very much a practice done today.

  • Brian (unregistered)

    I used to work for a military contractor, and I can definitely vouch for some of the apparently mindless adherence to protocol. After all, it's much easier to just follow a script than to actually think for yourself...

    My favorite was about 10 years or so ago when wikis were still a new thing, and some of my coworkers wanted to set one up for our department to help with, among other things, our severe lack of documentation. The response they got back from the IT team was that it was, quote, "too collaborative". Because of course we can't have engineers collaborating with each other, that would be a travesty!

    (Granted, we did have a team of foreign developers onsite whose access to various things, including the majority of the building, was heavily restricted. But I still think it was mostly a case of IT hiding behind some made-up rules because they didn't want to actually manage the thing.)

  • Tom (unregistered)

    This is pretty much how the TSA was formed. Scare up the top brass and suddenly it rains jobs for everyone and contracting companies make several millions.

  • Angela Anuszewski (google)

    Yep. The modern version of this is no Fitbits (because they have Bluetooth and all Bluetooth is banned.) There's also ongoing dispute regarding car keys and keyless entry fobs...

  • Calli Arcale (unregistered) in reply to Brian

    That's hilariously unsurprising, IT getting upset about wikis. :-P

    That said, I can definitely understand why they were paranoid about the foreign devs. Most military contractors at some point handle ITAR-restricted data, and the company can get in big trouble for violating ITAR. Letting a foreign dev even see a screen with ITAR-restricted data on it technically constitutes an export, and therefore a violation.

    A lot of it does get to be sort of security theater, though. Not in the sense that it's just play acting, but in the sense that there is a definite audience that they want to see it. Security policies aren't just chosen based on what it the most effective but also based on what is the easiest to demonstrate, during an audit, will successfully secure whatever it is they're contractually obligated to secure. A lot of companies will sacrifice significant amounts of productivity in order to reduce the risk of maybe losing the ability to compete for certain contracts. I've got one project that is running its entire lab and development environment as if the data was all classified Secret. It isn't classified, but using the same procedures means it's easy to show the customer it's good enough for what they want. It's certainly a pain, sometimes, but I can see why they decided to do it. I guess you could call this "designing for auditability".

  • Calli Arcale (unregistered)

    Oh, also:

    Shlockdeed! SCHLOCKDEED!

    I love it. ;-)

  • (nodebb) in reply to Mr. TA

    In the Netherlands, commercials for Toilet Duck a long time ago featured the slogan, “We at Toilet Duck recommend Toilet Duck”. I’ve never been able to work out if they meant it as a joke or not, but it’s become a saying in general speech.

  • Jim (unregistered) in reply to Angela Anuszewski

    Actually fitbits have been used to track military deployments. Many soldiers and marines are physical fitness fanatics and the love to use items like fitbits to track their daily regime. The sudden appearance of daily uploads of data from remote sites like the middle of nowhere in Africa led to information about the deployment of troops there on a clandestine mission.

  • Mickey Murine (unregistered) in reply to Calli Arcale

    In my time in the military half of the Military-Industrial Complex, I mostly worked with McDonald Duckless. I appreciated the relative lack of annoying anatines.

  • snoofle (unregistered)

    Ironically, after 40 years in the military and financial side of things, the only breaches that I've ever seen have been either in web-facing scripts, or couriers mishandling tapes.

    Honestly, even if you were starting your own competing company and you had the need and means, would you even want the code written by your coworkers?

  • (nodebb)

    In documentaries of the building/design of the SR71 plane, it was mentioned that having it "secure" would DOUBLE the amount of time required to complete the task. Nice to know where our tax $$$ are being spent (SIGH).

  • WTFGuy (unregistered)

    The challenge with a wiki is the whole "need to know" paradigm.

    First Q of course is "Can you configure your wiki software with appropriate access groups so only people on the correct ring of project X can see the parts of project X they're allowed to see, with no leakage to lower rings of X or to anyone at all in project Y?"

    The next Q "Has the wiki software security setup has been audited & certified to DOD/NSA/TLA/XYZ standard whatever-it-is-this-week?"

    The last Q is "Can you be sure nobody is able to post info they may know but which isn't in fact meant for the audience they're cleared to post to? "

    There are always micro-leaks where individual facts cross boundaries they shouldn't. That's not good, but it's pretty inherent in heavily compartmented programs. Usually neither the sender nor recipient realize they crossed a security line, and certainly didn't do it deliberately. But once such a fact then gets posted to even a properly secured internal wiki, that's a whole new order of magnitude of inappropriate disclosure.

    If every time you thought to post a fact you also had to consider "Is this worth losing my job over?", not too many folks will post very much. Which kinda defeats the point of the wiki in the first place.

  • xtal256 (unregistered) in reply to Angela Anuszewski

    You haven't seen this - https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases ?

  • I dunno LOL ¯\(°_o)/¯ (unregistered)

    The canonical anonymized defense contractor name should be "Luckup", from the movie Deal of the Century.

  • Angela Anuszewski (google) in reply to xtal256

    Yes, I have seen it. 1. There's nothing secret about this facility existing. You can see it from the highway and it has a big old sign and 2. Yes, I've seen it, but all access to The Guardian has been blocked from work since 2013 due to Snowden. (I mean, it's been almost six years, that seems a bit extreme.)

  • (nodebb) in reply to Brian

    "After all, it's much easier to just follow a script than to actually think for yourself..." That's why the scripts are created in the first place.

  • (nodebb) in reply to snoofle

    So you're saying the security measures in place for the most part worked?

  • (nodebb)

    There's a restaurant/bar on the top of the tallest tower in the area here. Until recently you had to pass through security to enter, which was really a metal detector and wave through: they didn't even open my bag even though it had water bottles and my son's insulin (he has type 1 diabetes) complete with a syringe for emergency glucagon. Though it was unexpected enough I even forgot to remove my phone, keys and wallet from my pockets.

    The last time we went the entire security was gone. We asked and they said they got in trouble for refusing entry to someone with a life saving device. Interesting way to handle the situation.

  • WTFGuy (unregistered) in reply to Zemm

    Zemm: Of course there's a huge difference between security procedures mandated by law/regulation (however dumb or smart the details may be) and security procedures mandated by some now long-gone manager in the name of some vague notion of reducing liability for vague unspecified risks.

    Once reality pointed out that the legal / reputational liability for mistreating a customer was many orders of magnitude more likely than the liability for a terrorist/nutbag attack suddenly common sense had its day in the sunshine.

  • Programmer Robot 10C-32 (unregistered)

    I thought for sure this would end with him having to put his disks through an x-ray machine or metal detector.

    Why didn't he just requisition the same calculator from his employer so that it would never have to go through security?

  • (nodebb)

    I wonder if this was so much about storing data, or more about being able to run programs on a non-audited device.

  • James (unregistered) in reply to SchattenGeist

    There was a high level security meeting at the NYC U.N. building. People deposited their BlackBerry's in a box before entering the room. Apparently, no one was guarding the box or it was briefly left unattended. A Mexican consulate worker with diplomatic immunity stole about 10 BlackBerry's and was eventually apprehended.

  • Terion (unregistered) in reply to Mr. TA

    I do disagree with that sentiment in relation to this specific case. If your job is to prevent a problem, you should make damn sure you prevent the problem, not create a strawman and beat that up instead. There is a very real information leak here, but the security is complaining about the (what was it at that time, 512B) internal memory of a calculator whereas MiBs of data can be carried off without them batting an eye.

  • siciac (unregistered) in reply to Another Lurker

    I know, better safe than sorry, and you can't really argue with their points

    That encapsulates the result of the security people pushing a set of policies with little explanation beyond "you'd better toe the line or get fired." This is the characteristic aquiescent attitude people have, rather than genuine buy in.

  • NATO (unregistered)

    It gets more interesting when you are a security contractor business winning a contract from NATO , and the F.D. is from a company outside of the NATO and so isn't allowed into the development office. Neither is the cleaner who is from the same country and married to the CEO - who also has to knock on the dev door before being allowed in so screens and paper work can be hidden from him...

  • NATO (unregistered)

    Of course the F.D. is the legal counsel and has to review the contracts which they aren't allowed to read because they are from outside the NATO agreement

  • (nodebb) in reply to Gurth

    “We at Toilet Duck recommend Toilet Duck”

    That is inspired!

  • medievalist (unregistered)

    I worked at a subcontractor to Schlockdeed!

    The Schlockdeed rep insisted that before we tested anything that was going to be used in his company's weapons systems, we had to run a "checksum of the system disk" (sic) and that he would then compare said checksum to a known verified checksum from a card in his wallet. This would prove there were no filthy Russkis hiding in the drop ceiling and secretly changing the code after hours or something. I AM NOT KIDDING ABOUT THIS.

    I explained that I could not do a "checksum of the system disk" as it had volatile areas controlled by the operating system that changed constantly, but that I could do a checksum of the non-volatile areas. He became extremely upset and reported me to my boss and the plant manager, saying "the Navy does it, you have to do it too! I want the entire disk checksummed before every test!" STILL NOT KIDDING.

    My boss said "just give the man what he wants" and I said "well I can write a program that will always output the same number and he'll be happy, but that would be dishonest and I won't do it" and he buried his head in his hands and mumbled curses.

    Then they hired a new programmer and that new programmer was always on duty when the Schlockdeed tests were run and somehow there was always something else they needed me to check on elsewhere at the start of each Schlockdeed test run.

    I wish I was making all this up, but I'm not.

  • Craig (unregistered)

    Reminds me of the time I was working on a theatre command and control system in the mid-1980s, integrating a lot of classified communications protocols. The facility was so secure that we drove through a gated drive and parked inside the facility.

    With the political situation as it was at the time, several of us were laid off due to project cut-backs. No big deal - because of the push for systems upgrades at the time, all of us had job offers before our two weeks were even up. So we were uncharacteristically non-chalant about our final days there. But we still had to close out our desks, which meant returning a file cabinet worth of classified documents back to security. How did they want us to return them? just get a hand-truck and wheel them across the parking lot to the security office. yes, right by where my car was parked. with it's big, roomy trunk that never got inspected when I left the facility every day.

    I mentioned this to the head of security - just in case someone was laid off, who wasn't as thrilled about leaving as I was....

  • nasch (unregistered)

    In case anyone else was wondering like I was... assuming any of the background information is accurate, that project would have been the YF-22, which later became the F-22 Raptor.

  • Bond (unregistered)

    My work with a telecom company (early 2000s) had us connecting to servers via SSH from our desktop. However, the IT head, apparently got a tool from the HQ - which when run on the network spit out some errors, warnings etc about the network setup.

    One of which was on the lines of - "Some of systems are using a SSH version which may be using a less secure cipher" or so. So he went ahead and disabled SSH on all the systems. So how do we connect to them from our desks? Simple use the program which had no warnings at all from the tool - Good ol Telnet!!! (Mind you all of us had to "su" as root once logged into the servers) He kind of half-understood my plight, but said the HQ wanted no messages from the tool, and damn it they were going to get it.

    I wouldn't have given two hoots about their concept of security, but we frequently needed to send files, and it ended up forced to use fricking command line FTP instead of SCP with private key infra I setup. Sigh!

Leave a comment on “Calculated Security”

Log In or post as a guest

Replying to comment #503727:

« Return to Article