[HN Gopher] US military investigating leak of emails from Pentag...
___________________________________________________________________
US military investigating leak of emails from Pentagon server
Author : rntn
Score : 57 points
Date : 2023-02-21 19:43 UTC (3 hours ago)
(HTM) web link (www.cnn.com)
(TXT) w3m dump (www.cnn.com)
| 29athrowaway wrote:
| They should be using Enigmail or something.
| pphysch wrote:
| > The leaked Department of Defense email data spanned three
| terabytes (the equivalent of dozens of standard smartphones'
| storage)
|
| ...or millions of emails.
|
| One example (from TechCrunch):
|
| > One of the exposed files included a completed SF-86
| questionnaire, which are filled out by federal employees seeking
| a security clearance and contain highly sensitive personal and
| health information for vetting individuals before they are
| cleared to handle classified information. These personnel
| questionnaires contain a significant amount of background
| information on security clearance holders valuable to foreign
| adversaries.
|
| Yikes.
| morelinks wrote:
| I don't work in tech so forgive the ignorance. How is the
| communication at the DoD (especially the SF-86) not encrypted
| and why it is sitting on an email server?
| thejteam wrote:
| The actual SF-86 is filled out online. If it is on an email
| server then it probably means the person generated the PDF
| copy from the site for their records and emailed it to
| themselves.
| Someone1234 wrote:
| It is encrypted, at rest. If this was taken from an active
| mail server, the mail server's software needs access to the
| unencrypted data to work, therefore that is moot.
|
| As to why mail servers hold email? That's how they, namely
| IMAP or EAS, work. If the mail server didn't have the mail,
| and the authorized user wanted the mail, where is it meant to
| come from?
|
| The more pertinent question is: Why was a DoD mail server
| connected to the public internet? The DoD have their own
| network.
| MichaelZuo wrote:
| Isn't there encrypted email?
| Jtsummers wrote:
| There is, and for a DoD employee to not have sent a
| document like an SF-86 encrypted indicates a failure to
| follow basic procedures. Every DoD employee (military and
| civilian) has an encryption key they can use, and are
| required to use, for things like PII and many others
| (which an SF-86 would definitely contain).
| GauntletWizard wrote:
| Efforts to end-to-end encrypt e-mail have been
| disastrous, coming down to a combination of human factors
| and difficulty of coordination - but mostly, people want
| to be able to read their mail. Sometimes they want to
| read it from public terminals. Sometimes they lose their
| phone and still need it to be accessible. Often, e-mails
| are required to be unencrypted by the mail server for
| compliance purposes - Nearly all financial data has to be
| archived, and that's often the crown jewels you're trying
| to encrypt, anyway.
|
| I don't know of a good oral history of PGP, but I suspect
| if you find one, it'll have the answers that you're
| looking for.
| Jtsummers wrote:
| US DoD has CAC - Common Access Card (commonly called a
| "CAC Card", but that's as silly as a "PIN Number"). CACs
| have encryption keys and are used for signing and
| encrypting email. The data should have been transmitted
| and stored encrypted for something like an SF-86.
| booboofixer wrote:
| Or they have just finished setting up an effective honeypot and
| would like all adversaries to try again.
| markdown wrote:
| Try again? They don't need nudging to try again.
|
| This isn't something they ever stop trying.
| booboofixer wrote:
| Citation needed
| 0xDEF wrote:
| Usually there is very little harm from these type of leaks. The
| actual harm will come from all the political fake news that will
| take advantage of it.
|
| For example Hillary Clinton's leaked emails turned into 1980s
| style hysteria about "pizza-eating gay satanic pedophiles"
| running DC.
| albatross13 wrote:
| Yeah I'm sure the Special Access Programs on there were not
| harmful at all.
|
| https://www.politico.com/story/2016/01/hillary-clinton-email...
| YeahNO wrote:
| You're right, probably not harmful at all:
|
| "The official, who spoke on condition of anonymity, said some
| or all of the emails deemed to implicate "special access
| programs" related to U.S. drone strikes. Those who sent the
| emails were not involved in directing or approving the
| strikes, but responded to the fallout from them, the official
| said.
|
| The information in the emails "was not obtained through a
| classified product, but is considered 'per se' classified"
| because it pertains to drones, the official added. The U.S.
| treats drone operations conducted by the CIA as classified,
| even though in a 2012 internet chat Presidential Barack Obama
| acknowledged U.S.-directed drone strikes in Pakistan."
___________________________________________________________________
(page generated 2023-02-21 23:02 UTC)