back to article Raytheon techie who took home radar secrets gets 18 months in the clink in surprise time fraud probe twist

A now-former Raytheon systems engineer will spend the next year and a half behind bars for taking home classified US government blueprints and paperwork, against security procedures, all because he seemingly liked taking Fridays off. Ahmedelhadi Yassin Serageldin, 67, was sentenced [PDF] in a Massachusetts federal district …

  1. JulieM Silver badge

    Nope

    This stuff should not even be secret in the first place. Let would-be adversaries see exactly what weapons they might be facing!

    1. Robin Bradshaw

      Re: Nope

      would-be adversaries should have to buy the weapons systems to find out what they might be facing, just like everybody else, won't somebody think of the shareholders.

      1. Peter2 Silver badge

        Re: Nope

        would-be adversaries should have to buy the weapons systems to find out what they might be facing

        Um, yes.

        During the Falklands war, the Argentenians were pretty convinced that they knew the performance of the newish Sea Dart missile, which was at the time advertised as having something like a 40,000 foot ceiling on hitting things. They thought this was right given that they had two ships fitted with this missile system, and had test fired it.

        Somebody cruising along comfortably above this range was then somewhat put out to discover the hard way that they were in fact within very lethally effective range.

        TLDR? Every country in the world tends to deliberately sell less capable versions of their hardware to foreign customers then their home forces are equipped with, if they admit it or not.

        1. Anonymous Coward
          Anonymous Coward

          Re: Nope

          Happens in every good company.

          Specs say must be able to do X, make sure it can do 1.5X (adjust within reason), just in case.

          Makes for a good safety margin.

          Also reminds me of the Japanese automaker gentleman's agreement. "It's only rated 276HP, but if you wedge some lead on the pedal it pumps past 300."

        2. The Oncoming Scorn Silver badge
          Black Helicopters

          Re: Nope

          That reminds me of an episode of Airwolfs (Darker) first season & a arms dealer.

          Hawke: I've got an idea he deserves a medal for ingenuity. If they didn't buy from Kruger, they'd have to buy from the Russians. And Russian missiles would be a whole lot harder to defend against.

          Sarah: I don't understand. There is no defense against a Thor system.

          Dominic: There is, if you know its operating frequencies.

          Archangel: Thor operates on randomly selected, constantly changing frequencies. There's no way on earth to jam them.

          Hawke: So, you built in a seIf-destruct system.

          Archangel: Since you've figured it out, there's no loss in telling. It's an integral part of the guidance system. All an American or Israeli plane has to do is punch a button on a little black box.

          Dominic: (laughs) You put the hottest missile system in the world into the hands of people who can't use them.

          Archangel: They won't know that until it's too late.

          Dominic: Ah, I've gotta hand it to you, Mike. Now that's brilliant.

          Archangel: Thank you.

          Icon: The Lady.

        3. gerdesj Silver badge

          Re: Nope

          It is also quite surprising what can also happen "off plan". Our destroyers at the time had quite a lot of magnesium (so I was told by someone who probably knows) in their superstructure (nice and light).

          This happened: https://en.wikipedia.org/wiki/HMS_Sheffield_(D80)

          One of the Exocets (https://en.wikipedia.org/wiki/Exocet) deployed by a Super Etendard hit, went in through the side but failed to detonate. Instead, the heat of its still burning rocket set the ship on fire.

          Extinguishing a fire involving metals like Mg is quite tricky on land, let alone at sea. The damn stuff tends to carry on burning regardless of what you throw at it. On a ship it's much worse because the whole point of a ship is that ideally the water stays on the outside.

          There were several other compromise design decisions. For example, whilst chatting back to base in the UK via satellite, quite a lot of radar had to be switched off to avoid interference. That means that you don't even know that a pair, flight or even a sodding wing of Super Etendards are heading in your direction, equipped with missiles that are deployed BVR. They siddle up to you after a refreshing stroll around the wave crests and a couple of tube rolls and then punching a hole in you and burn you to the waterline or explode and make a real mess of you.

          The explanation given in WP is probably better than mine but then I knew someone who was there. Who knows? I note some discussion on the talk page about Al but I distinctly remember Mg being mentioned by my source. I may be wrong about that - it was a long time ago.

          1. MarkSitkowski

            Re: Nope

            It was both Al and Mg. The principal components of thermite.

            1. Intractable Potsherd Silver badge

              Re: Nope

              I thought thermite is Al and Mg are both fuel in the thermite reaction - you need an oxidiser such as Fe for the reaction to happen. https://en.m.wikipedia.org/wiki/Thermite, or many other sources.

          2. BigBear

            Re: Magnesium

            I know nothing of the incident about which you wrote. However, magnesium salts and magnesium alloys do not behave as does pure metallic magnesium, and are almost as light. It would be truly foolish for the US Navy to build any parts of a ship out of pure, or nearly-pure, metallic magnesium — a material that can ignite and be extremely difficult to extinguish.

            1. mistersaxon

              Re: Magnesium

              British Navy. But I don't think they build ships out of thermite, no matter how light it is. Mind you I didn't think they clad blocks of flats in burnable cladding either and look how that turned out.

  2. Headley_Grange Silver badge

    Secure Bag

    "...would take home work on various US government projects in items as secure as a plastic bag."

    Ages ago, if you wanted to carry classified stuff around it had to be put in a special black leather briefcase secured by a big brass lock, all witnessed by the site security officer. The briefcases were standard throughout the industry, so if you saw someone on a train with one it was almost certain that there were classified docs in it. A Tesco's plastic bag would have been a lot less conspicuous.

    The practice died out sometime in the 90s and my company tried to sell off its stock of the bags to employees. In the end they couldn't give them away partly because of how nickable they were but mainly because you really needed a bowler hat to complete the look.

    1. GlenP Silver badge

      Re: Secure Bag

      Way back in the early part of my career I was a Civil Servant for a while. As the IRA were active at the time they'd removed all the identifying logos of the vehicles but hadn't thought to issue standard tax discs instead of the "Government Vehicle" ones so they weren't exactly difficult to spot.

      I was never important enough to have any classified documents* so the brief case issue didn't arise!

      *I did have access to some sensitive information but I can't tell you about that...

      1. MrNigel

        Re: Secure Bag

        Reminds of back in the day when the IRA were bombing mainland UK. I worked in telephone exchanges and one day we noticed that the PO had removed the raised lettering on the side of the building clearly leaving an outline of un-faded brick and paint that somehow emphasised the words TELEPHONE EXCHANGE. Besides you could just look in the ground floor windows and see those racks of Strowger clicking away. The exchange in question was Leeds Westgate on Rutland Street just off Burley St, next door to the Highland Pub where we ran some 2-wire to extend the "Bat Phone" to the taproom..... #GoodOldDays

    2. Anonymous Coward
      Anonymous Coward

      Re: Secure Bag

      Couldn't you have kept the big black leather suitcases, but carried them around in a Tesco's plastic bag?

    3. bombastic bob Silver badge
      Big Brother

      Re: Secure Bag

      the general practice with classified material is that it doesn't leave the location where it's stored. That was how it was back in the 80's, and I doubt it has changed. If you must transport it, you're supposed to do so in an approved manner. Although at times this may have been bent/gray, it was still "the rule".

      In any case, working from home with a government contract, where security is concerned, is generally NOT allowed, EVAR. "Lose your security clearance" is just the tip of the iceberg.

      1. BigBear

        Re: What is Raytheon's problem?

        Absolutely correct! Taking classified material off-site is generally illegal, unless you are individually authorized to do so, sign the particular documents out, have a secure container in which to transport them that is locked to your body, and have a certified secure facility to which to bring them and store them in an approved safe that is secured to something considered immovable. Barring that, you'd need to be accompanied by armed guards.

        The fact that Raytheon allowed any external storage device to function on any PC with access to classified material is a huge breach of national security. Raytheon should be fined $ billions for this.

        The fact that their servers logged accesses to classified document is a minimum requirement. The fact that there were no alarms when a single user downloaded many thousands of documents is unacceptable. The fact that Raytheon allowed employees or contractors to leave the premises with any type of external storage device — given that external storage devices actually function on their PCs — is outrageous.

        One additional reason why the guy may have gotten such a light sentence is Raytheon's complicity — they made it so easy and their policies and procedures were so lax.

        I’m not a lawyer, but there's a principle of causation in law that asks a question or makes a statement that starts with "But for...". Here, it could be, "But for Raytheon's violations of standard DoD security regulations, this document removal could never have happened." That doesn’t change the guy's guilt, but it makes Raytheon guilty as well.

        1. Anonymous Coward
          Anonymous Coward

          Re: What is Raytheon's problem?

          > Taking classified material off-site is generally illegal, unless you are individually authorized to do so, sign the particular documents out, have a secure container in which to transport them that is locked to your body, and have a certified secure facility to which to bring them and store them in an approved safe that is secured to something considered immovable. Barring that, you'd need to be accompanied by armed guards.

          I realise the story pertains to a US contractor based in the US, but as this is a UK web site, I should point out this is not the case in the UK.

          As long as you hold the appropriate clearance for the material you're transporting and are accompanied by 1x other person with the same clearances as you, there is no problem. "At rest" (ie hotels / overnight) becomes a bit more of a problem, but it's all case-by-case.

          You can transport by yourself as well in some (explicitly laid out) circumstances.

    4. 2+2=5 Silver badge

      Re: Secure Bag

      > In the end they couldn't give them away partly because of how nickable they were but mainly because you really needed a bowler hat to complete the look.

      The ones I saw came with a wrist strap so you couldn't forget it on the train. The downside was that if some scrote tried to nick it you'd be dragged along behind them or have your arm ripped off!

    5. Vometia Munro

      Re: Secure Bag

      I suspect a similar premise is why many years ago I found myself being used as a courier for tapes of sensitive, er, "things". I couldn't understand why they wanted to waste money on some programmer who hated driving to ferry this stuff around instead of a professional courier but I guess as I was somehow classed as trustworthy, some halfwit with a hangover in her "this really needs a wash" low-end company car was less conspicuous or something. It probably was indeed in a Tesco bag, which I managed to not lose, much to my surprise. Yay.

  3. Neil Barnes Silver badge
    Headmaster

    Approximately ten

    What? 9.6? 10.1? Has someone forgotten how to count?

    1. Doctor Syntax Silver badge

      Re: Approximately ten

      And having documents on his person. Tattoos?

      1. bombastic bob Silver badge
        Coat

        Re: Approximately ten

        maybe the same way that prisoners hide things...

        1. sev.monster
          Childcatcher

          Re: Approximately ten

          I'd hate to see what the back of your coat is covered in.

    2. Jon 37

      Re: Approximately ten

      If the prosecution said 12, his defence team could argue about the classification status of one of the documents, so claim there were only 11. "About 10" avoids that distraction.

  4. wolfetone

    He'd have got less for being a cop and killing an unarmed person.

    1. Jon 37

      Isn't the US penalty for that a full disability pension? (Due to the PTSD caused by committing murder and getting away with it).

      1. Robert Carnegie Silver badge

        Not always.

        They have a powerful trade union though. Getting compensation for an accident at work that WAS your fault.

  5. Pascal Monett Silver badge
    Facepalm

    "he had downloaded documents to an external drive against company policy"

    Well there's your problem : he had the possibility to connect an external drive. Add to that the fact that he probably had access to a lot more documents than he should have (c'mon, you know it has to be true), and it's blindingly obvious that he could export the data.

    He's obviously guilty of having done that, but if he could not connect an external drive to his computer in the first place, then that would have been a serious barrier to overcome.

    I find it interesting that they had logs of his activity, but no alerts on the logs. They had to go digging to find that out. Why wasn't there an alert when something classified is loaded onto an external drive ?

    I have worked for banks and insurance companies that have more effective lock-downs than these clowns.

    1. Anonymous Coward
      Anonymous Coward

      Re: "he had downloaded documents to an external drive against company policy"

      In the interests of security a company I worked for removed hard drives and USB access from everyone except a select few. Given the sort of work that some people did, this was a very good idea . The select few were all very senior managers and they soon got fed up of engineers wandering into their offices with floppies/USB sticks and 25 pages of requisite authorizations. Solution? They 'delegated' the authority to their secretaries. All the secs' machines got their hard drives and USB access back and the engineers just dumped the paperwork in the tray and got on with uploading/downloading.

      1. ridley

        Re: "he had downloaded documents to an external drive against company policy"

        At a school I worked in the kids had full access to USB drives, teachers read only.

        Go figure.

        1. JulieM Silver badge

          Re: "he had downloaded documents to an external drive against company policy"

          I guess that might be about protecting kids against anything being written to their removable drives by a teacher?

    2. Hans Neeson-Bumpsadese Silver badge

      Re: "he had downloaded documents to an external drive against company policy"

      I thought it was odd that they only found out about the external hard drive when they did some investigation. If that sort of access is being logged, then I would expect it to be fed into some sort of monitoring system so that infractions can be detected and acted on as they happen, rather than only finding out when doing some retrospective investigation

      1. doublelayer Silver badge

        Re: "he had downloaded documents to an external drive against company policy"

        You are very right to think that. It is critical that audits be done about copying data to external media if employees are meant not to do so. This company is very fortunate that all this guy wanted to do was take work home without permission. Had he taken a copy and showed up at a prearranged consulate, he could be happily living in another country with the data handed over before the company even knew there was a problem.

    3. knarf

      Re: "he had downloaded documents to an external drive against company policy"

      Like to see how their ISO27001 networks controls and mobile audit coped with that

    4. YetAnotherJoeBlow
      FAIL

      Re: "he had downloaded documents to an external drive against company policy"

      "Add to that the fact that he probably had access to a lot more documents than he should have (c'mon, you know it has to be true), and it's blindingly obvious that he could export the data."

      "I find it interesting that they had logs of his activity, but no alerts on the logs. They had to go digging to find that out. Why wasn't there an alert when something classified is loaded onto an external drive"

      That is why he got a VERY light sentence. Both sides agreed he needed to be punished so he got what he did. Defense told the prosecutor discovery will be a bitch and do you really want world+dog to know how bad both the gov. and Raytheon no more no less are at security - and of course exactly how much this all cost? Oh by the way Raytheon, GAO is on the line for you. I'll bet he had some very bad things on that drive.

      Every job I ever worked as a gov. sub, security was tight, very tight. I never saw Laurel & Hardy once. Had he not cheated payroll and not lied, this probably would have been treated a lot different.

  6. Doctor Syntax Silver badge

    Nowadays it's called working from home. If he wasn't going to work on it and he wasn't selling it on (which seems to have been accepted) then time fraud seems a bit dubious. In fact he might have got more work done than if he'd been in the office.

    1. Claptrap314 Silver badge
      Boffin

      He was unauthorized WFH. That looks like time fraud. The fact that he was working on classified material *might* have something to do with why WFH was not authorized...

      1. Doctor Syntax Silver badge

        Not only did he take what he wasn't authorised to,he was extremely careless, not to asy inept in handling them. And yet time fraud was the only offence he was convicted of.

  7. spacecadet66

    I believe you'll find he lives in Sharon, Massachusetts. Not Sharon, Maryland. The postal abbreviation for Massachusetts is MA so this is a common mistake.

    1. Anonymous Coward
      Anonymous Coward

      I believe you'll find he lives in Sharon, Massachusetts

      Not for the next 18 months he doesn't...

    2. Hubert Cumberdale

      And there's me thinking...

      ...that Massachusetts were things you might find in your hanky.

      1. Anonymous Coward
        Anonymous Coward

        Re: And there's me thinking...

        No,no - think Bee Gees ! ( courtesy Kenny Everett )

    3. diodesign (Written by Reg staff) Silver badge

      Massachusetts

      It's fixed. The writer put "Sharon, MA" in the article copy, and during the edit, it was mistakenly expanded to Sharon, Maryland, not Massachusetts.

      Don't forget to email corrections@theregister.com if you spot anything wrong.

      C.

      1. rcxb Silver badge

        Re: Massachusetts

        Don't forget to email corrections@theregister.com if you spot anything wrong.

        I would, but I don't need a second, full-time job... Would be easier to make a list of the El Reg article that DON'T have any errors.

        In this article alone:

        "Some of even ended"

        1. diodesign (Written by Reg staff) Silver badge

          Editing

          A lot of us are really burnt-out this month. And I can honestly say quite a few of the typos were mine while working late into the evening.

          "Some of even ended"

          That's fixed.

          BTW I'm not asking you to work full-time for us. I'm asking for an email, please, if possible. Think of it as a pull request. Maybe we can make it easier to report errors, in article or via a form.

          "Would be easier to make a list of the El Reg article that DON'T have any errors"

          Software has bugs, articles have typos. We're not perfect and we're quite a small team, relatively speaking. We're trying our best.

          C.

          1. doublelayer Silver badge

            Re: Editing

            I really don't mind the typos. It happens to all of us. My suggestion would be to turn the tips and corrections feature into a form rather than an email--sometimes I'm on a machine without email configured or with accounts I don't want to use, so I try to remember to send a message later and likely fail. I'm guessing it was done this way to deal with spam, but you already have our logins so you can associate reports with those for blocking purposes.

            1. Robert Carnegie Silver badge

              Re: Editing

              Maybe make any forum post with the word "correction" be not published and sent only to Regquarters?

              I would do that.

              1. Chris 239

                Re: Editing

                But then you would not get credit (or abuse!) from your fellow commentards or the pleasure of publicly shaming the almighty vultures.

                I think this and ease of commenting is why people put corrections in the comments.

              2. Craig 2

                Re: Editing

                Tickbox in the comment entry area for "This is a correction"

                Still published as a comment (For the glory)

                Icon fixed to pendant (For the lulz)

                Staff get a feed of all correction posts.

                Separate metric for "You have made x corrections" as long as a staff member upvotes it.

          2. TechHeadToo

            Re: Editing

            My memory (the organic one) stretches away back in the fourth dimension.

            When email was new...

            It was often the case that 'important' emails were being keyed in so quickly that an occasional error was proof of its urgency....

            No time to spare to correct it before sending.

            Now we have automated spell checkers that can put in the mistukes for us.

          3. Lindsay T

            Re: Editing

            Having been educated in an era when grammatical errors were swiftly followed by physical pain, I like to think I don't do typos. However, my confidence in that regard is usually shattered about 5 microseconds after I hit the send button. You are forgiven Mr. Editor.

  8. Hubert Cumberdale

    Did he not

    already know how to securely wipe things from his computer(s)? I would've thought that was part of his training. (Also, could he not just figure out something like "cp /dev/null /dev/hda" after booting from a live CD? A bit obvious to anyone who looks at the disk afterwards, perhaps, but it would've been a start. He can't've been a bright spark.)

    1. Robert Carnegie Silver badge

      Maybe

      Putting your hard disk next to military-grade radar might wipe it effectively. But they're less sensitive nowadays, e.g. to magnets. And, well, would you rather lose ALL the data on your hard disk, or spend a year in jail? Tough call.

      1. Hubert Cumberdale

        Re: Maybe

        Pretty easy call, I'd say. I'd have anything important backed up off site and anything dodgy only in one place. As an aside, it's much easier to find a sledgehammer than a military radar...

        1. sev.monster

          Re: Maybe

          You're giving the guy googling "how 2 wipe hard driv" a lot of credit here.

        2. Doctor Syntax Silver badge

          Re: Maybe

          Except in a military radar establishment where you can never find a sledgehammer when you need one.

      2. Mark 85 Silver badge

        Re: Maybe

        Putting your hard disk next to military-grade radar might wipe it effectively. But they're less sensitive nowadays, e.g. to magnets.

        How about a small, military grade file cabinet in the back yard? Also a thermite grenade in the receptacle for it. Pull pin and all is gone.

        1. MachDiamond Silver badge

          Re: Maybe

          "lso a thermite grenade in the receptacle for it. Pull pin and all is gone."

          I think Thunderf00t did an experiment with thermite to destroy a hard drive and it was a complete failure. Search YouTube if you want to see it.

          One of those really big NdFeB magnets should do the trick.

    2. doublelayer Silver badge

      Re: Did he not

      The article described him as a systens engineer and a techy, but they didn't provide extra context on that. It's possible that he built electronics or worked on the physics of the radar, rather than dealing with computers. While many electrical engineers and physicists have had lots of experience with the low level of computers, many haven't. I wouldn't be that surprised to hear that they don't automatically know about the device nodes and how to find the right one.

    3. lglethal Silver badge
      Facepalm

      Re: Did he not

      Frankly, I really dont get this guy. If you're worried about being caught with documents and your willing to go to the effort of trying to find out how to delete them properly, why not just ditch the laptop completely and buy a new one?

      Copy the family photos to a new USB stick, drop the laptop in the bin, and head to the local computer store and grab a new one. reload the programs you need want and if any cops come calling, you're in the clear.

      Any other course of action is you being a dumba$$...

      1. doublelayer Silver badge

        Re: Did he not

        It looks like he wanted to follow good security practice. Even if you're going to toss the machine, erase the disk first. If you don't, an attacker can get the computer out of the bin and extract the data. Of course, if you're planning to discard the hardware entirely, secure erasing the disk is more easily done by using a hammer, but remember to still do it.

        The instructions above are meant for example purposes only. If you truly are planning to erase your disk to avoid legal prosecution, at least you hope, you should not bin your machine. It is more environmentally friendly to have the diskless shell brought to an electronics recycler.

        1. sev.monster

          Re: Did he not

          <blpckquote>It looks like he wanted to follow good security practice.</blockquote>

          HAVING A HARD TIME BELIEVING THAT ONE CHIEF

          1. doublelayer Silver badge

            Re: Did he not

            Comment was written somewhat tongue-in-cheek, hence things like claiming he knew what he was doing and recommending that criminals pay attention to environmental considerations. However, it is good security practice to erase disks even when discarding the hardware, so I only had to joke about what his intentions were, not what is a good idea.

            1. This post has been deleted by its author

            2. sev.monster
              Coffee/keyboard

              Re: Did he not

              I'll forgive you for the incantation of Poe's Law, if you overlook my incorrect usage of the blpckquote tag.

    4. BigBear

      Re: Did he not

      He’s fortunate that he failed to wipe his drive, for it set an upper-bound on how many documents he nabbed; it established the classification level of what he copied; his failure likely reduced the severity of one of his charges (he attempted to obstruct justice; he never destroyed evidence) and demonstrated his relative ineptitude and the unlikelihood that he had passed classified docs to bad guys.

    5. Lindsay T

      Re: Did he not

      Living in MA, there was always the sea.

  9. Mahhn

    Training and infosec

    So they say he had been bringing items from for at least a year 2017-2018.

    Pretty sloppy infosec to not notice 31,000 files downloaded to non company devices.

    Since they say he wasn't malicious with the data he had, does that mean he got shit for training on procedure too?

    There are a lot more issue here than one guy brining home sensitive data that should be addressed.

    But hey, if your a manager at Raytheon, at least the sacrificial goat took all the heat right,,,,,

    1. Mark 85 Silver badge

      Re: Training and infosec

      Seems he's the fall guy for the security departments failings.

      1. ecofeco Silver badge

        Re: Training and infosec

        No kidding. This is some serious fail by the security department.

  10. My other car WAS an IAV Stryker Bronze badge
    Big Brother

    All I can safely say is...

    1. My former and current employers' IT were/are WAY better than this, especially in the classified realm. (No details, sorry -- not sorry.)

    2. I have worked on classified data before but never tried to breach security for any reason. By and large (99%) what I work on is sensitive but unclassified (which surprises me, especially with what I eventually find on Wikipedia, but oh well not my call).

    3. I love Fridays off. It's called a 9-80: 80 hours across 9 working days with every-other Friday off. I never took work home as an excuse; it was/is company endorsed.

    4. The only time I took ANY work home (prior to #5) was because I would be travelling the next day or just returning from travel. Again, nothing was classified.

    5. I've been full working from home since mid-March. I have not tried to get any data outside my company laptop. I don't even have any paper copies of anything. I won't talk about the laptop's/network's security to protect my employer (and my @$$).

    6. I assume everything I do -- internet requests, file operations, USB access -- is logged and act accordingly. I haven't tried any external device (USB or other) I assume(d) I didn't already have permission for.** I even avoid using WiFi, opting for Ethernet.

    I love my job, my employer, my country, but most importantly my personal freedom and my family, so staying out of jail is my goal, both by doing the right things and not blabbing the sensitive things. I'm either an obedient, security-minded individual or a total sheep to my corporate and government overlords. You decide.

    ** Currently I am running only a 2-input KVM switch: 1) HDMI to my large personal monitor (laptop's second screen / family desktop's primary), 2) USB receiver for wireless trackball, 3) standard keyboard and mouse via a 2-USB switch in the monitor. Everything works as expected and there is no data storage or sharing, so I assume I'm in the clear, and IT hasn't said boo since it's similar to using the dock unit (USB-C feeding USB-A, DisplayPort and VGA) at my office desk.

  11. ecofeco Silver badge

    The hardest part

    The hardest part of my job is enforcing I.T.security. The second is obstinate executives. The third is average everyday obstinate users.

    The technical side and vendor idiocy is easy compared to those.

    1. Insert sadsack pun here

      Re: The hardest part

      ...and the fourth hardest part of my job is making sure no-one asks questions about the disappearance of the people who have been bothering me about the first three issues...

  12. Steve the Cynic

    Pffffffffft.

    Pffft. It can't have been all that sensitive. He only had a Secret clearance. When I first met her, the late Mrs Cynic held a Top Secret (with an SCI authorisation on top) and she had a sort of spitting contempt for anyone who thought that a Secret meant much of anything. I believe the words she used were "give them away in Crackerjack boxes".

    Then again, at one point she temped at, er, Raytheon, and was asked to get a Secret to go with her Top Secret, since, ya know, the job requires a Secret...

    Ok, I get that the IT security was lamentable, and that he did something he shouldn't oughta done, but...

  13. AdrianMontagu

    USBs

    Who in the SECRET or TOP SECRET environment allows access to USB ports?

    It might be necessary on certain machines but only with logging (electronic and wet ink) and witnesses.

    Also any stick must be an encrypted stick.

    I know of one American defense company that allowed (without realising it) changing the file name extension to get through the blocks. This is now handled by other protection systems. But this was after some secrets had beed stolen.

    Amazing!

  14. Chris 239

    I wonder

    I wonder if they have relaxed the rules this year and all his ex colleagues are now working from home - confidential data and all!

    Wouldn't that be the final irony for the poor bloke!

  15. hayzoos

    So much wrong

    I worked in the same type of environment, as an Information Systems Security Manager (ISSM). I would expect to have been canned if this happened with my systems, along with my boss the Facility Security Officer (FSO). All USB except keyboard, mouse was disabled on my systems and any attempted access other than standard keyboard, mouse was logged. Logs were reviewed frequently, not quite daily, but almost. I saw part of my job was to figure out how to circumvent protections and derive additional protections, not all technical mind you.

    Work on classified of any level is only allowed in secured facilities. No WFH. Classified in digital form is only allowed on approved systems not allowed connections to the internet. There are classified networks and internetworks, but only in or terminating in secure facilities. True military grade encryption is used in between secured facilities over dedicated connections.

    I have seen the snootiness of those holding Top Secret over those "only" holding Secret clearance, usually by those also holding multiple SCI category caveats. It is very funny that one holding Top Secret was asked to also get a Secret clearance. The one asking knows not of which they speak.

  16. NonSSL-Login
    Facepalm

    Secrets elsewhere

    Some places have so much security to protect their information and products but that often goes out the window when they pass that information to another company to work with.

    Having worked for a translation company that for example translated Tank manuals for users and mechanics, printouts would be left all over the place including left in the printer trays for hours.

    Even applying standards and being promised certain procedures, you dont know whats happening behind closed doors of outsourced work in other companies.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020