[HN Gopher] US Soldiers Expose Nuclear Weapons Secrets via Flash...
___________________________________________________________________
US Soldiers Expose Nuclear Weapons Secrets via Flashcard Apps
Author : cyberlurker
Score : 192 points
Date : 2021-05-28 17:09 UTC (5 hours ago)
(HTM) web link (www.bellingcat.com)
(TXT) w3m dump (www.bellingcat.com)
| supernova87a wrote:
| "Your rockstar name is your bunker entry codeword +
| authentication key + base commander's name, send to all your
| friends!"
| tiagod wrote:
| This is crazy. How are intelligence agencies, with the amount of
| money and free reign they have, not monitoring the whole Internet
| for this kind of stuff?
| tablespoon wrote:
| > This is crazy. How are intelligence agencies, with the amount
| of money and free reign they have, not monitoring the whole
| Internet for this kind of stuff?
|
| How do you know they aren't? They're probably focused on
| adversary nations, though.
| savoytruffle wrote:
| Isn't free rein for a horse, not a king?
| salawat wrote:
| Because even within intelligence agencies, knowledge is
| strictly controlled.
|
| To monitor actively, you have to ask for related content.
| Asking about related content in a context where you have
| something to keep secret is an implicit acknowledgement there
| is something there.
|
| It's a trick I've seen used in intelligence gathering contexts
| quite often. You get close to a researcher and technical expert
| on classified matters, then ask questions and gauge responses.
|
| Sometimes you don't need an answer, you just need to know
| you're asking the right questions.
|
| Knowledge of this practice and regular experience doing it will
| not make you many friends in either the intel or counter-intel
| dept.
|
| t. Apparently a professional insider threat given all the DoD
| documentation that describes how I fix places by actually
| communicating with people and ensuring effective information
| dissemination through an organization.
|
| Makes interviews awkward. All the periodicals in the waiting
| room basically explain what I do better than I can.
| [deleted]
| asdff wrote:
| It would be easy to crawl for this stuff imo. The technical
| language used for this stuff is finite and limited. Just grep
| the internet for phrases from their training materials, and I
| bet you can catch all of this.
| 1MachineElf wrote:
| Many family members have been pressuring me to steer my
| IT/InfoSec career towards obtaining a security clearance
| because it is a big salary and job security booster. While I
| know many US Gov employees have these and do not have to work
| day-to-day in/on controlled security stuff, they must have
| had to do it for one point during their career, and I fear
| that I could not last through such an ordeal. The concept of
| not being able to collaborate with coworkers due to arbitrary
| security rules sounds like a disaster.
| leephillips wrote:
| If you are already a civil servant without a clearance,
| getting a clearance decreases job security. It effectively
| nullifies your civil service protections, and allows you to
| be fired at will on a security pretext, with absolutely
| zero recourse. I worked at a navy lab for 21 years and saw
| this happen to colleagues who displeased their bosses.
| adolph wrote:
| _[Dr Jeffrey Lewis] added that "secrecy about US nuclear weapons
| deployments in Europe does not exist to protect the weapons from
| terrorists, but only to protect politicians and military leaders
| from having to answer tough questions about whether NATO's
| nuclear-sharing arrangements still make sense today. This is yet
| one more warning that these weapons are not secure."_
|
| *[Hans Kristenssen, director of the Nuclear Information Project
| at the Federation of American Scientists] added: "There are so
| many fingerprints that give away where the nuclear weapons are
| that it serves no military or safety purpose to try to keep it
| secret. Safety is accomplished by effective security, not
| secrecy. Granted, there may be specific operational and security
| details that need to be kept secret, but the presence of nuclear
| weapons does not. The real purpose of secrecy is to avoid a
| contentious public debate in countries where nuclear weapons are
| not popular."
| SkyMarshal wrote:
| _> Safety is accomplished by effective security, not secrecy._
|
| This seems to depend on your threat model. Two threat models
| were explicitly mentioned here - terrorists, and contentious
| public debate.
|
| But it seems a third threat model, and the most important one
| given that nukes are anti-nation-state weapons, is to prevent
| nation state adversaries from knowing with certainty the
| location of those nukes. In which case, secrecy is still a
| necessary component of nuclear safety, or more specifically,
| deterrent effectiveness.
| kevin_thibedeau wrote:
| FAS has a biased agenda. I wouldn't weigh their opinion very
| heavily. Poorly kept secrets are a problem but not when they
| are well guarded.
| goalieca wrote:
| The current location of nuclear armed submarines seem to be
| one of those secretive cases.
| pests wrote:
| But they already know, per the quote above.
|
| >"There are so many fingerprints that give away where the
| nuclear weapons are that it serves no military or safety
| purpose to try to keep it secret."
| pseudo0 wrote:
| I'd imagine it's more of a defense in depth approach. Why
| do your adversary's work for them? Unsophisticated
| adversaries (ie. random anti-nuclear agitators) might be
| dissuaded entirely due to the lack of information, and even
| sophisticated adversaries would have to take time and
| effort to verify those fingerprints and make sure they have
| the right spot. Unless there's a compelling reason to make
| the information public, I don't see why they would.
| SkyMarshal wrote:
| _> I'd imagine it's more of a defense in depth approach._
|
| Yes exactly. One necessary, but not sufficient, layer of
| a multi-layer defense-in-depth security strategy.
| lowbloodsugar wrote:
| Once had a conversation with a soldier who handled IT on base. He
| told me that officers could and did demand that he bypass
| security, VPNs, etc and install software of their choice to use
| it on their computers. They outrank him, and "that's against
| policy" was not an argument. This was maybe ten years ago. Sounds
| like things have only got worse.
| morpheuskafka wrote:
| I have long noticed that Quizlet is a repository for a lot of
| information that shouldn't be online... from test answers to
| proprietary line-of-business stuff (ex. retail training
| materials) to security related stuff (security trainings,
| emergency response codes). But I would have thought the military
| would be smart enough not to use it (at all--private or public,
| it is not in any way designed to handle classified or FOUO data).
|
| For example, this one appears to list a number of installations
| that hold various critical networking infrastructure as well as
| the names of various admins. https://quizlet.com/414907821/eiws-
| study-guide-here-it-is-bo...
| tablespoon wrote:
| I doubt these were official DoD flashcard decks. They were
| probably created individually by different soldiers/airmen to
| help them study for some test they had to take.
| morpheuskafka wrote:
| Yeah, I understand that. But I mean as members of the
| military who are trained and indoctrinated into OPSEC and
| information handling practices, I would expect them to have
| made a better decision.
| jrockway wrote:
| Hey, at least we didn't find the flashcards for their OPSEC
| test!
| david_allison wrote:
| What makes this more egregious is that the Air Force seems to
| have internal educational apps which can handle sensitive
| information:
| https://www.reddit.com/r/AirForce/comments/nmyu7n/us_soldier...
| angry_octet wrote:
| Systems like AKO (Army Knowledge Online) are notoriously
| terrible.
|
| US compliance systems often favour rote learning over
| knowledge, hence memorising vast numbers of irrelevant details
| as a false proxy for competency.
| dmd wrote:
| But they're probably terrible. Kind of like how at many places
| they'll tell you "don't use 1password, use cyberark" - leaving
| out the fact that what takes 0.25 seconds to do in 1password
| takes over a minute in cyberark.
| Someone1234 wrote:
| Your link says that the AF does _not_ have an app for this but
| _could_ because they have a similar one for "aircrew MQF
| study."
|
| Sounds like a post promoting the idea of having a more general
| purpose but secure app using the stuff they already built
| within the AF, rather than saying it is already widely
| available.
| atatatat wrote:
| They seem to know that.
|
| I didn't, though. Thanks!
| cyberlurker wrote:
| The flash cards are much worse, but it reminds me of the Strava
| data leak from military staff:
| https://www.bbc.com/news/technology-42853072
| joelrunyon wrote:
| Fun story - this data leak actually launched me into the middle
| of a reddit Antarctica conspiracy theory -
| https://impossiblehq.com/the-antarctica-conspiracy-theory/
|
| Unfortunately, it was just a really long run :)
| atatatat wrote:
| Where'd you give up//feel disproven?
| re wrote:
| Joel "started"/was part of the conspiracy theory by running
| a marathon in Antarctica; he wasn't a conspiracy theorist
| himself.
| atatatat wrote:
| Ah, got it. That's actually hilarious.
|
| Joel, btw, dead/typo'd link top of this list:
| https://joelrunyon.com/impossible/
|
| Have a good day, everyone!
| ilugaslifk wrote:
| > Joel run yon
|
| Nominative determinism
| [deleted]
| wearywanderer wrote:
| I wonder if schools still teach kids that they can make
| flashcards with a marker and some cardstock, without using any
| software at all. Or have schools all gone 'paperless' with ipads
| and chromebooks?
| Mediterraneo10 wrote:
| The reason people like flashcard apps is not simply because
| they don't want to write with pen and paper, it is 1) they like
| spaced-repetition algorithms and 2) if you have a set
| consisting of many hundreds of cards (common in language
| learning) it much more convenient to carry one phone around
| than that pocket-bursting stack of cardstock.
| wearywanderer wrote:
| The act of writing the cards is part of the learning process.
| Every time I make a stack, I end up knowing half of it before
| I even start 'using' it. With software cards, this doesn't
| work so well. And you can always put the stack into your
| purse or backpack if your pockets are small. I'm sure
| soldiers have somewhere they can put a stack of cards.
| sigstoat wrote:
| i use electronic SRS flashcard stuff, and i hand write the
| material onto scrap paper when i first encounter it. i
| don't have to worry about keeping it neat/legible, i still
| get the physical connection, and it doesn't take up any
| space after i've written it.
| arbitrage wrote:
| > Some flashcards uncovered during the course of this
| investigation had been publicly visible online as far back as
| 2013. Other sets detailed processes that were being learned by
| users until at least April 2021. It is not known whether secret
| phrases, protocols or other security practices have been altered
| since then.
|
| Just gobsmacked by this, honestly.
| baybal2 wrote:
| A piece of data more interesting than anything in the article are
| service numbers of soldiers there.
|
| USSR spooks been for decades deducing troop numbers, and rotation
| schedules on NATO bases based on patterns in service numbers.
|
| Not much changed since it seems.
|
| Though, same was done for Russian troops in Crimea.
| seanieb wrote:
| Still a lot of these in Google cache... Passwords etc. can be
| changed, but the protocols and the information about readiness..
| oh boy... absolutely classified. Somewhere in Europe there's a
| number of junior officers having a very bad day.
| tyho wrote:
| It took me less than 5m to un-redact the information in this
| post. I found much more than this post details. Wild.
| titzer wrote:
| > It is not entirely clear why or how this information became
| publicly searchable. Quizlet's website states that all flashcards
| are set to public visibility by default -- users can then change
| privacy if they choose.
|
| Just a sign of how deeply flawed the base of our thinking about
| information is these days. Everything is public by default, in
| part because of the warped Google/Facebook worldview has been
| drilled into us by the likes of Schmidt and Zuckerberg.
| yread wrote:
| It would still be a massive breach of protocols to upload it to
| a limited visibility public website
| alksjdalkj wrote:
| Shouldn't we just assume that anything we upload to the cloud
| could be made public? Either through a hack, an employee, a
| misconfiguration, etc. If something is sensitive enough that
| you don't want it public it probably shouldn't be in the cloud,
| period. Regardless of what the default visibility is.
|
| e: On second thought there probably are exceptions - I'm not
| worried that something backed up to Backblaze will be leaked,
| for example. But a random flash card app? I'd assume that info
| is public. Maybe I'm just paranoid.
| svachalek wrote:
| Venmo is still the worst example of this I've seen. Putting
| every financial transaction you make out into a newsfeed, by
| default.
| idanman wrote:
| It doesn't seem to be the default anymore on iPhone. Mine was
| set to private and doesn't show on the feed. I got Venmo
| about a year ago.
| the_local_host wrote:
| Holy shit. I've never used Venmo, but thanks for the warning.
| moftz wrote:
| In your first transaction, you just set it to private so
| only you and the recipient (and Venmo and whatever gov't
| agency) can only see the memo line. The amount is always
| private. The setting sticks after that so you don't ever
| need to change it again.
| asquabventured wrote:
| Which is why I always make a junk message of the payment
| description. "artisinal rat sausage", "home run Derby entry
| fee", "sausage gravy slurpee", etc
___________________________________________________________________
(page generated 2021-05-28 23:01 UTC)