Nope
This stuff should not even be secret in the first place. Let would-be adversaries see exactly what weapons they might be facing!
A now-former Raytheon systems engineer will spend the next year and a half behind bars for taking home classified US government blueprints and paperwork, against security procedures, all because he seemingly liked taking Fridays off. Ahmedelhadi Yassin Serageldin, 67, was sentenced [PDF] in a Massachusetts federal district …
would-be adversaries should have to buy the weapons systems to find out what they might be facing
Um, yes.
During the Falklands war, the Argentenians were pretty convinced that they knew the performance of the newish Sea Dart missile, which was at the time advertised as having something like a 40,000 foot ceiling on hitting things. They thought this was right given that they had two ships fitted with this missile system, and had test fired it.
Somebody cruising along comfortably above this range was then somewhat put out to discover the hard way that they were in fact within very lethally effective range.
TLDR? Every country in the world tends to deliberately sell less capable versions of their hardware to foreign customers then their home forces are equipped with, if they admit it or not.
Happens in every good company.
Specs say must be able to do X, make sure it can do 1.5X (adjust within reason), just in case.
Makes for a good safety margin.
Also reminds me of the Japanese automaker gentleman's agreement. "It's only rated 276HP, but if you wedge some lead on the pedal it pumps past 300."
That reminds me of an episode of Airwolfs (Darker) first season & a arms dealer.
Hawke: I've got an idea he deserves a medal for ingenuity. If they didn't buy from Kruger, they'd have to buy from the Russians. And Russian missiles would be a whole lot harder to defend against.
Sarah: I don't understand. There is no defense against a Thor system.
Dominic: There is, if you know its operating frequencies.
Archangel: Thor operates on randomly selected, constantly changing frequencies. There's no way on earth to jam them.
Hawke: So, you built in a seIf-destruct system.
Archangel: Since you've figured it out, there's no loss in telling. It's an integral part of the guidance system. All an American or Israeli plane has to do is punch a button on a little black box.
Dominic: (laughs) You put the hottest missile system in the world into the hands of people who can't use them.
Archangel: They won't know that until it's too late.
Dominic: Ah, I've gotta hand it to you, Mike. Now that's brilliant.
Archangel: Thank you.
Icon: The Lady.
It is also quite surprising what can also happen "off plan". Our destroyers at the time had quite a lot of magnesium (so I was told by someone who probably knows) in their superstructure (nice and light).
This happened: https://en.wikipedia.org/wiki/HMS_Sheffield_(D80)
One of the Exocets (https://en.wikipedia.org/wiki/Exocet) deployed by a Super Etendard hit, went in through the side but failed to detonate. Instead, the heat of its still burning rocket set the ship on fire.
Extinguishing a fire involving metals like Mg is quite tricky on land, let alone at sea. The damn stuff tends to carry on burning regardless of what you throw at it. On a ship it's much worse because the whole point of a ship is that ideally the water stays on the outside.
There were several other compromise design decisions. For example, whilst chatting back to base in the UK via satellite, quite a lot of radar had to be switched off to avoid interference. That means that you don't even know that a pair, flight or even a sodding wing of Super Etendards are heading in your direction, equipped with missiles that are deployed BVR. They siddle up to you after a refreshing stroll around the wave crests and a couple of tube rolls and then punching a hole in you and burn you to the waterline or explode and make a real mess of you.
The explanation given in WP is probably better than mine but then I knew someone who was there. Who knows? I note some discussion on the talk page about Al but I distinctly remember Mg being mentioned by my source. I may be wrong about that - it was a long time ago.
I know nothing of the incident about which you wrote. However, magnesium salts and magnesium alloys do not behave as does pure metallic magnesium, and are almost as light. It would be truly foolish for the US Navy to build any parts of a ship out of pure, or nearly-pure, metallic magnesium — a material that can ignite and be extremely difficult to extinguish.
"...would take home work on various US government projects in items as secure as a plastic bag."
Ages ago, if you wanted to carry classified stuff around it had to be put in a special black leather briefcase secured by a big brass lock, all witnessed by the site security officer. The briefcases were standard throughout the industry, so if you saw someone on a train with one it was almost certain that there were classified docs in it. A Tesco's plastic bag would have been a lot less conspicuous.
The practice died out sometime in the 90s and my company tried to sell off its stock of the bags to employees. In the end they couldn't give them away partly because of how nickable they were but mainly because you really needed a bowler hat to complete the look.
Way back in the early part of my career I was a Civil Servant for a while. As the IRA were active at the time they'd removed all the identifying logos of the vehicles but hadn't thought to issue standard tax discs instead of the "Government Vehicle" ones so they weren't exactly difficult to spot.
I was never important enough to have any classified documents* so the brief case issue didn't arise!
*I did have access to some sensitive information but I can't tell you about that...
Reminds of back in the day when the IRA were bombing mainland UK. I worked in telephone exchanges and one day we noticed that the PO had removed the raised lettering on the side of the building clearly leaving an outline of un-faded brick and paint that somehow emphasised the words TELEPHONE EXCHANGE. Besides you could just look in the ground floor windows and see those racks of Strowger clicking away. The exchange in question was Leeds Westgate on Rutland Street just off Burley St, next door to the Highland Pub where we ran some 2-wire to extend the "Bat Phone" to the taproom..... #GoodOldDays
the general practice with classified material is that it doesn't leave the location where it's stored. That was how it was back in the 80's, and I doubt it has changed. If you must transport it, you're supposed to do so in an approved manner. Although at times this may have been bent/gray, it was still "the rule".
In any case, working from home with a government contract, where security is concerned, is generally NOT allowed, EVAR. "Lose your security clearance" is just the tip of the iceberg.
Absolutely correct! Taking classified material off-site is generally illegal, unless you are individually authorized to do so, sign the particular documents out, have a secure container in which to transport them that is locked to your body, and have a certified secure facility to which to bring them and store them in an approved safe that is secured to something considered immovable. Barring that, you'd need to be accompanied by armed guards.
The fact that Raytheon allowed any external storage device to function on any PC with access to classified material is a huge breach of national security. Raytheon should be fined $ billions for this.
The fact that their servers logged accesses to classified document is a minimum requirement. The fact that there were no alarms when a single user downloaded many thousands of documents is unacceptable. The fact that Raytheon allowed employees or contractors to leave the premises with any type of external storage device — given that external storage devices actually function on their PCs — is outrageous.
One additional reason why the guy may have gotten such a light sentence is Raytheon's complicity — they made it so easy and their policies and procedures were so lax.
I’m not a lawyer, but there's a principle of causation in law that asks a question or makes a statement that starts with "But for...". Here, it could be, "But for Raytheon's violations of standard DoD security regulations, this document removal could never have happened." That doesn’t change the guy's guilt, but it makes Raytheon guilty as well.
> Taking classified material off-site is generally illegal, unless you are individually authorized to do so, sign the particular documents out, have a secure container in which to transport them that is locked to your body, and have a certified secure facility to which to bring them and store them in an approved safe that is secured to something considered immovable. Barring that, you'd need to be accompanied by armed guards.
I realise the story pertains to a US contractor based in the US, but as this is a UK web site, I should point out this is not the case in the UK.
As long as you hold the appropriate clearance for the material you're transporting and are accompanied by 1x other person with the same clearances as you, there is no problem. "At rest" (ie hotels / overnight) becomes a bit more of a problem, but it's all case-by-case.
You can transport by yourself as well in some (explicitly laid out) circumstances.
> In the end they couldn't give them away partly because of how nickable they were but mainly because you really needed a bowler hat to complete the look.
The ones I saw came with a wrist strap so you couldn't forget it on the train. The downside was that if some scrote tried to nick it you'd be dragged along behind them or have your arm ripped off!
I suspect a similar premise is why many years ago I found myself being used as a courier for tapes of sensitive, er, "things". I couldn't understand why they wanted to waste money on some programmer who hated driving to ferry this stuff around instead of a professional courier but I guess as I was somehow classed as trustworthy, some halfwit with a hangover in her "this really needs a wash" low-end company car was less conspicuous or something. It probably was indeed in a Tesco bag, which I managed to not lose, much to my surprise. Yay.
Well there's your problem : he had the possibility to connect an external drive. Add to that the fact that he probably had access to a lot more documents than he should have (c'mon, you know it has to be true), and it's blindingly obvious that he could export the data.
He's obviously guilty of having done that, but if he could not connect an external drive to his computer in the first place, then that would have been a serious barrier to overcome.
I find it interesting that they had logs of his activity, but no alerts on the logs. They had to go digging to find that out. Why wasn't there an alert when something classified is loaded onto an external drive ?
I have worked for banks and insurance companies that have more effective lock-downs than these clowns.
In the interests of security a company I worked for removed hard drives and USB access from everyone except a select few. Given the sort of work that some people did, this was a very good idea . The select few were all very senior managers and they soon got fed up of engineers wandering into their offices with floppies/USB sticks and 25 pages of requisite authorizations. Solution? They 'delegated' the authority to their secretaries. All the secs' machines got their hard drives and USB access back and the engineers just dumped the paperwork in the tray and got on with uploading/downloading.
I thought it was odd that they only found out about the external hard drive when they did some investigation. If that sort of access is being logged, then I would expect it to be fed into some sort of monitoring system so that infractions can be detected and acted on as they happen, rather than only finding out when doing some retrospective investigation
You are very right to think that. It is critical that audits be done about copying data to external media if employees are meant not to do so. This company is very fortunate that all this guy wanted to do was take work home without permission. Had he taken a copy and showed up at a prearranged consulate, he could be happily living in another country with the data handed over before the company even knew there was a problem.
"Add to that the fact that he probably had access to a lot more documents than he should have (c'mon, you know it has to be true), and it's blindingly obvious that he could export the data."
"I find it interesting that they had logs of his activity, but no alerts on the logs. They had to go digging to find that out. Why wasn't there an alert when something classified is loaded onto an external drive"
That is why he got a VERY light sentence. Both sides agreed he needed to be punished so he got what he did. Defense told the prosecutor discovery will be a bitch and do you really want world+dog to know how bad both the gov. and Raytheon no more no less are at security - and of course exactly how much this all cost? Oh by the way Raytheon, GAO is on the line for you. I'll bet he had some very bad things on that drive.
Every job I ever worked as a gov. sub, security was tight, very tight. I never saw Laurel & Hardy once. Had he not cheated payroll and not lied, this probably would have been treated a lot different.
...that Massachusetts were things you might find in your hanky.
A lot of us are really burnt-out this month. And I can honestly say quite a few of the typos were mine while working late into the evening.
"Some of even ended"
That's fixed.
BTW I'm not asking you to work full-time for us. I'm asking for an email, please, if possible. Think of it as a pull request. Maybe we can make it easier to report errors, in article or via a form.
"Would be easier to make a list of the El Reg article that DON'T have any errors"
Software has bugs, articles have typos. We're not perfect and we're quite a small team, relatively speaking. We're trying our best.
C.
I really don't mind the typos. It happens to all of us. My suggestion would be to turn the tips and corrections feature into a form rather than an email--sometimes I'm on a machine without email configured or with accounts I don't want to use, so I try to remember to send a message later and likely fail. I'm guessing it was done this way to deal with spam, but you already have our logins so you can associate reports with those for blocking purposes.
My memory (the organic one) stretches away back in the fourth dimension.
When email was new...
It was often the case that 'important' emails were being keyed in so quickly that an occasional error was proof of its urgency....
No time to spare to correct it before sending.
Now we have automated spell checkers that can put in the mistukes for us.
already know how to securely wipe things from his computer(s)? I would've thought that was part of his training. (Also, could he not just figure out something like "cp /dev/null /dev/hda" after booting from a live CD? A bit obvious to anyone who looks at the disk afterwards, perhaps, but it would've been a start. He can't've been a bright spark.)
"lso a thermite grenade in the receptacle for it. Pull pin and all is gone."
I think Thunderf00t did an experiment with thermite to destroy a hard drive and it was a complete failure. Search YouTube if you want to see it.
One of those really big NdFeB magnets should do the trick.
The article described him as a systens engineer and a techy, but they didn't provide extra context on that. It's possible that he built electronics or worked on the physics of the radar, rather than dealing with computers. While many electrical engineers and physicists have had lots of experience with the low level of computers, many haven't. I wouldn't be that surprised to hear that they don't automatically know about the device nodes and how to find the right one.
Frankly, I really dont get this guy. If you're worried about being caught with documents and your willing to go to the effort of trying to find out how to delete them properly, why not just ditch the laptop completely and buy a new one?
Copy the family photos to a new USB stick, drop the laptop in the bin, and head to the local computer store and grab a new one. reload the programs you need want and if any cops come calling, you're in the clear.
Any other course of action is you being a dumba$$...
It looks like he wanted to follow good security practice. Even if you're going to toss the machine, erase the disk first. If you don't, an attacker can get the computer out of the bin and extract the data. Of course, if you're planning to discard the hardware entirely, secure erasing the disk is more easily done by using a hammer, but remember to still do it.
The instructions above are meant for example purposes only. If you truly are planning to erase your disk to avoid legal prosecution, at least you hope, you should not bin your machine. It is more environmentally friendly to have the diskless shell brought to an electronics recycler.
Comment was written somewhat tongue-in-cheek, hence things like claiming he knew what he was doing and recommending that criminals pay attention to environmental considerations. However, it is good security practice to erase disks even when discarding the hardware, so I only had to joke about what his intentions were, not what is a good idea.
This post has been deleted by its author
He’s fortunate that he failed to wipe his drive, for it set an upper-bound on how many documents he nabbed; it established the classification level of what he copied; his failure likely reduced the severity of one of his charges (he attempted to obstruct justice; he never destroyed evidence) and demonstrated his relative ineptitude and the unlikelihood that he had passed classified docs to bad guys.
So they say he had been bringing items from for at least a year 2017-2018.
Pretty sloppy infosec to not notice 31,000 files downloaded to non company devices.
Since they say he wasn't malicious with the data he had, does that mean he got shit for training on procedure too?
There are a lot more issue here than one guy brining home sensitive data that should be addressed.
But hey, if your a manager at Raytheon, at least the sacrificial goat took all the heat right,,,,,
1. My former and current employers' IT were/are WAY better than this, especially in the classified realm. (No details, sorry -- not sorry.)
2. I have worked on classified data before but never tried to breach security for any reason. By and large (99%) what I work on is sensitive but unclassified (which surprises me, especially with what I eventually find on Wikipedia, but oh well not my call).
3. I love Fridays off. It's called a 9-80: 80 hours across 9 working days with every-other Friday off. I never took work home as an excuse; it was/is company endorsed.
4. The only time I took ANY work home (prior to #5) was because I would be travelling the next day or just returning from travel. Again, nothing was classified.
5. I've been full working from home since mid-March. I have not tried to get any data outside my company laptop. I don't even have any paper copies of anything. I won't talk about the laptop's/network's security to protect my employer (and my @$$).
6. I assume everything I do -- internet requests, file operations, USB access -- is logged and act accordingly. I haven't tried any external device (USB or other) I assume(d) I didn't already have permission for.** I even avoid using WiFi, opting for Ethernet.
I love my job, my employer, my country, but most importantly my personal freedom and my family, so staying out of jail is my goal, both by doing the right things and not blabbing the sensitive things. I'm either an obedient, security-minded individual or a total sheep to my corporate and government overlords. You decide.
** Currently I am running only a 2-input KVM switch: 1) HDMI to my large personal monitor (laptop's second screen / family desktop's primary), 2) USB receiver for wireless trackball, 3) standard keyboard and mouse via a 2-USB switch in the monitor. Everything works as expected and there is no data storage or sharing, so I assume I'm in the clear, and IT hasn't said boo since it's similar to using the dock unit (USB-C feeding USB-A, DisplayPort and VGA) at my office desk.
Pffft. It can't have been all that sensitive. He only had a Secret clearance. When I first met her, the late Mrs Cynic held a Top Secret (with an SCI authorisation on top) and she had a sort of spitting contempt for anyone who thought that a Secret meant much of anything. I believe the words she used were "give them away in Crackerjack boxes".
Then again, at one point she temped at, er, Raytheon, and was asked to get a Secret to go with her Top Secret, since, ya know, the job requires a Secret...
Ok, I get that the IT security was lamentable, and that he did something he shouldn't oughta done, but...
Who in the SECRET or TOP SECRET environment allows access to USB ports?
It might be necessary on certain machines but only with logging (electronic and wet ink) and witnesses.
Also any stick must be an encrypted stick.
I know of one American defense company that allowed (without realising it) changing the file name extension to get through the blocks. This is now handled by other protection systems. But this was after some secrets had beed stolen.
Amazing!
I worked in the same type of environment, as an Information Systems Security Manager (ISSM). I would expect to have been canned if this happened with my systems, along with my boss the Facility Security Officer (FSO). All USB except keyboard, mouse was disabled on my systems and any attempted access other than standard keyboard, mouse was logged. Logs were reviewed frequently, not quite daily, but almost. I saw part of my job was to figure out how to circumvent protections and derive additional protections, not all technical mind you.
Work on classified of any level is only allowed in secured facilities. No WFH. Classified in digital form is only allowed on approved systems not allowed connections to the internet. There are classified networks and internetworks, but only in or terminating in secure facilities. True military grade encryption is used in between secured facilities over dedicated connections.
I have seen the snootiness of those holding Top Secret over those "only" holding Secret clearance, usually by those also holding multiple SCI category caveats. It is very funny that one holding Top Secret was asked to also get a Secret clearance. The one asking knows not of which they speak.
Some places have so much security to protect their information and products but that often goes out the window when they pass that information to another company to work with.
Having worked for a translation company that for example translated Tank manuals for users and mechanics, printouts would be left all over the place including left in the printer trays for hours.
Even applying standards and being promised certain procedures, you dont know whats happening behind closed doors of outsourced work in other companies.