Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
United States

CIA Chat Room Violates The Company's Policy 126

Posted by timothy from the should'na-dun-dat-fellas dept.
code_rage writes: "An article in the Washington Post says that some 160 employees and contractors of the CIA are being investigated for operating an unauthorized chat room. Two of those accused are "innovative, out-of-the-box, unconventional thinkers - these are essentially the hackers of the CIA, in the most positive sense of the word." The article raises issues of national security, workplace monitoring, and worker's legal rights. Although security was not compromised in this case, the prospect of unauthorized software running on secure computers might be a little troubling. The article says that senior employees have a keystroke monitor installed on their computers. The 5-day timeline demanded by The Company for response to accusations, seems to preclude the employees the ability to consult with legal counsel, given that clearances take months to be approved."
This discussion has been archived. No new comments can be posted.

Violating The Company's Policy: CIA Chat Room More

Violating The Company's Policy: CIA Chat Room

Comments Filter:
  • *** Looking up 216.206.242.164
    *** Resolved 216.206.242.164 to irc.fbi.gov.handed.me.an.o-line.st

    --

  • Maybe it'll be firable to have an account on icq. Or you'll be arrested for paying for prodigy.
  • It makes a great deal of sense to punish these people. Much like the discussion previously on /., this is about people putting software onto computers they do not own, and they do not have the rights to do.

    I do not work for any government agency, but I can well believe that the CIA, NSA, and other inteligence agencies screen with a fine tooth comb the software that goes into their networks. One little backdoor, or one little segment of code that sends logs outside the network is all that is needed for a potentialy serious breach of national security. And don't forget that lives can and are at stake. ICQ may seem harmless, but would you risk someone's life over it?
  • In the article, Robert Steele, who is known in the computer security community, said these were clever, creative people. If so, what the hell are they working for the CIA for? Places like the CIA treat you like crap, and if you make someone unhappy you may not only be fired, but may have criminal charges filed and other unpleasant things like that happen to you. People in the military and "intelligence" community with any brains have left long ago to startups in Virginia and that area like AOL, UUNet, Network Solutions and the like. Those people are now rich on stock options, and not having their little government grade pay job checks and people on their backs all the time. Most of the Pentagon and such people I know stopped working there a long time ago. That's probably why so many contractors are involved, they can't hire people. Working for a sucky company/agency through a consulting firm can often suck more than actually working there. All the pain, none of the benefits. Don't work at low pay, bad condition work places. Especially when all they do is overturn legitimate elections in other countries and the like.

  • Getting the best out of people (Score:3)

    by jesterzog ( 189797 ) on Saturday November 11, 2000 @01:27PM (#629916) Journal

    One or two employees and I could understand an investigation like this.

    CIA or not, if 160 employees decide to break the rules in this way, isn't it just a sign that their employers aren't providing them with the (legitimate) resources to do their job effectively?

    They could restrict these people and not get the best out of them, or they could work out a compromise. Since a lot of people are going to be watching this and it'll be setting an example to big dumb executives everywhere, I hope a compromise is what happens.


    ===

  • As always, with this kind of operation, the issue here is control. The Powers That Be in The Company must feel that they are "in control." Of their networks. Of their computers. Of their emplouees. Hell, of their paper clips! This kind of stuff gives them the willies.

    I worked as a contractor for, shall we say, a player in the intellegence community a loooooong time ago, and let me tell you this: these guys have paranoia dribbled into their veins every night, right along with their maalox. Humor is not part of the job. Especially where computers are concerned.

    These poor mooks are gonna get slammed, and slammed hard for their "innovation." The Company doesn't want stars, they want people who follow orders and procedures. When they get to the executive director level, maybe then they can get creative. Oh, but I forgot, at that level you're so political that any creativity outside of political survival is a liability...

    As they said in "The Prisoner": "Be seeing you!"

  • In the original posting, it said that the employees have been givenm five days to respond, which killed their ability to consult with lawyers and the like, due to the time it takes to get clearance. However, in the article, it says that some of those senior employees have been "suspended with pay for the past six months while CIA officials try to decide what punishment is appropriate." This means that this happened a long time ago. At least six months. It's not as if they discovered this five days ago and have ordered written explanations; they found out at least six months ago and have just now ordered explanations. So, even if it does take a few months to get clearance, that still leaves a few more to consult with whoever needs to be consulted with.
    In the original posting, it talks about this lack of time. It also says it almost exactly the same in the article itself: "The former officer said that by giving those under investigation only five days to respond to the charges against them, the CIA has 'effectively denied them the opportunity to seek legal counsel,' because lawyers typically must wait for months to obtain security clearances necessary to represent agency personnel." But again, six months is a long time. What were these people doing for the last six months? Especially the ones who had been suspended with pay? I would hope that they would spend that time doing everything in their power to seek legal counsel. If they waited until now to try, then maybe they should just face the consequences. I know that if I got caught breaking the rules like that on a secure computer system and was essentially told to not come to work until they figured out how they were going to punish me, I would spend the eight hours a day I would usually be working during trying to find a lawyer who could help me get out of trouble, regardless of whether or not what I did was wrong...that's just self-preservation.
    Either way, that's what bugs me the most about this article: the claims that these people aren't getting a fair chance, when in fact they've had at least half a year to make whatever chance they wanted. And in all reality, this happened probably even twice that long ago, it just took six months for it to be dealt with, then six more for it to get to press and for the demands for explanations to be presented. Rip this apart as you please.
    -G
  • We don't have keystroke monitors installed where I work, but the security department keeps tabs on what we do. This might make it difficult for us to install UT and play across the network, but I don't know what kind of packets it generates (yet), so I don't know if we could get away with it. :)

    -Legion

  • Re:Employee monitoring (slightly OT) (Score:1)

    by Anonymous Coward
    Are you sure you don't have keystroke monitors?

    I routinely check the back of my computer for keystroke monitors and I'm also planning to buy my own keyboard to work. I'll bring it in in the morning, use it during the day and replace it with the original keyboard at the end of the day.

    Encrypting all your mail is also a good thing, but remember to store your private key only on a floppy disk. They might search your harddrive, so never ever copy the key there.

  • It was a, umm... honeypot. Yeah, that's it! Script kiddies just can't get enough of the chat server hacking.

    We weren't wasting time, or hacking cyber sex, or um.. something.
  • Emacs is a beast. It has a full lisp interpreter. I don't trust any language that relies so much on freaking parans... Another problem with Emacs is that noone is there to guarentee it's security. If something goes wrong there is no scapegoat, something that companies don't like.
  • China was "allied" with the Soviet Union only from the brief period of 1949 - about 1960. After that (and this was before China developed the bomb), there was great animosity between the two governments to the point where several small battles were fought.

    From you second assertion, I seriously doubt you do know history. The primary purpose of American nuclear deterrence was to prevent the Soviets from dominating Western Europe. Southeast Asia and Asia in general were much less important as the Soviets concentrated their forces on their eastern borders
  • What makes you compulsively rail against people who want to uphold a certain degree of literacy?
  • That's a typo right? The Soviets concentrated their forces on their *western* borders. Actually, you're also neglecting to mention that the soviet union was preparing to push deep into Japan from the north up in Mongolia. If that had happened we would have faced a similarly divided Japan (except North being communist, south being free) as we saw in Germany after WWII. By dropping the two bombs they also didn't have to execute a full scale invasion of the island.. something that would have cost BOTH sides millions of lives, civilian and military. If you're going to spout revisionist history, at least study the actual events so you can sound more convincing.
  • Don't know if this is still the case, but as of 10 years ago, NSA installed all the secure systems for other Fed agencies, presumably including CIA.

    Hypothesis: the chatroom was not a hack, but an undocumented feature.

    Interesting that they're so certain nothing was compromised.
  • Get over it, there is little security in the world today. These people were on the house system, am I wrong!!!
    They were found out and exposed, supposedly by their own!!!!
    Then made PUBLIC!!!!!!!!!!!!!
    McArthyism raises it's ugly head.
    A message is being sent to the rest of the serfs, toe the line or else.
    Comments anyone?
  • Okay they suspended the culprits for the past six months with pay [i'd love that!].
    They don't say how many of them, but I guess we can assume that those who were suspended are at least the cream of the 160 that used the IRC.

    What manager in his right state of mind can just suspend their best IT staffers - for six months?

    Either they found someone else to do their jobs - which makes the discussion futile, cause then they will sack the offenders anyway - or, given that it's the CIA - they just leave the work undone...

    Think about it. For six long months the creme of CIA techs doesn't get to work. Isn't that an invitation for everyone else to get busy while the yanks got their pants down?

    I honestly do believe that the U.S. is the vulnerable to cyber warfare, simply because they have every man and his dog running through the Net.
    Then they turn around and suspend the first line of defense, cause they were using their brains [which is what the CIA has hired them for, in the first place].

    They should let h4x0rz run the Agencies. Would save them a pile and get more results...
  • They have to blow off steam in the company environment or go slightly nuts, can't do it security wise off the property, nice idea no?
  • Everytime I feel compelled to explain things this obvious, I worry that I've been trolled.

    You're obviously not alone. I've never had a comment moderated around the block the way this one has. The comment was made tongue-in-cheek. I'm well aware of the gravity of the situation working for the CIA. When you go in there, you play by their rules, no exceptions. I just find the whole situation a little (black) humourous.
  • Every second those "hackers" spend on chat/irc/etc. is a second wasted when they could be doing something constructive, like, their job.
    I don't know about you, but I would rather have the spooks chatting instead of supporting right-wing death squads and destabilizing popularly-elected left-leaning governments around the world!!!
    --
    You think being a MIB is all voodoo mind control? You should see the paperwork!
  • That's a typo right? The Soviets concentrated their forces on their *western* borders.

    Not, he was correct in using eastern, as in eastern Europe. Actually, you're also neglecting to mention that the soviet union was preparing to push deep into Japan from the north up in Mongolia.

    Well, you have to understand that the US and USSR had an agreement that they'll attack Japan (I don't think they agreed on when. Also, the Japanese did defeat the Russians in the Russo-Japanese War. If that had happened we would have faced a similarly divided Japan (except North being communist, south being free) as we saw in Germany after WWII. By dropping the two bombs they also didn't have to execute a full scale invasion of the island..

    That's right, because we were the ones who were supposed to, not them. something that would have cost BOTH sides millions of lives, civilian and military.

    Try looking up "Little Boy" and "Nagasaki". If you're going to spout revisionist history, at least study the actual events so you can sound more convincing.

    I suggest you do the same.

  • How long will it take Metallica to sue the CIA for people sharing their music on that chatroom?
  • Note that there was no disclosure of classified material here, just violations of Policy.

    If you have a job to do, you do it. If you try to go through all of the Proper Authorities, you'll have long grey whiskers by the time you get their formal rejection.

    I'd be willing to bet that the "authorized" software on the computers in question was some version of Windows, Microsoft Office, and a couple of buggy, inconvienent, locally written Visual Basic programs for filling out timesheets and accessing databases. And nothing else.

    I'm sure every Slashdotter has a list of extra programs that need to be installed on any Windows system to make it halfway usable. (The last "unauthorized" program that I loaded was bzip2. Big scary threat, that.)

    The point of "policy" is generally to cover the arses of the Powers the Be; if anything goes wrong, it's because "somebody violated Policy". I have worked in a number of secure environments; I have never seen one where *all* the Policies were followed. Scenario: You're the only one in the office when you are hit with A Sudden Need. Do you (a) Shit in your pants, (b) Carefully collect all of the classified data from your desk (and everybody elses desk, if you're watching their stuff for them) and lock it in the safe. Don't forget to sign the logs, or (c) duck down the hall to the loo and hope that nobody notices. Policy, of course, says (b), with (a) as the only alternative. Of course, (c) would leave your classified data open to any Soviet spies[1] who happened to sneak past the armed guards at the gate.

    It's not just the Government; look up Randall Schwartz [lightlink.com] to see just how bad it can get.

    [1] Yeah, I know. There hasn't been a Soviet Union for ten years. The US Department of Defense and State Department (the CIA is part of the State Department) have been busily trying to put it back together, as it was the only justification for their existance.

    --
  • That's a funny thought - all those odes to Natalie Portman ending up enshrined forever in the CIA/NSA archives.

  • Actually a firewall does basically nothing if you are somewhat technical, which these people seem to be.

    You could easily build a tunnel (e.g. VTun [sourceforge.net]) from the inside of a LAN to some point outside, and then have basically a VPN back in. I do that from where I work to my home. Even if your firewall blocks all direct connections, but have a HTTP or SOCKS proxy in place, there already exist tunnels that go through them.

    My point about "judgement skills", though, was that these people are probably just as concerned as their management about security, and probably have much better grip on what it entails to make their network secure. Thus, if you are not going to trust them, you might as well make your network a complete island (whether they create such chatting channels, or not).

  • Alright, I give that to you. But my point (which you seem to have missed) was that it's typical disciplinary action for violating security policy. Nothing new here.
    --------
    Life is a race condition: your success or failure depends on whether you get the work done on time.

  • Human nature being what it is... (Score:3)

    by Cowardly Anonym ( 30327 ) on Saturday November 11, 2000 @12:16PM (#629938)

    "The serious thing for us is people willfully misusing the computer system and trying to hide what they were trying to do..."

    Of course they tried to hide what they were trying to do! What would have happened if they had gone to the brass and said, "Um, we'd like to set up a chat room on the computer network. Don't worry, we won't let anyone in without an invitation. And we certainly won't open up any security holes. Okay?"

    For obvious reasons, CIA employees are required to abide by very strict rules governing, among other things, what they may and may not do, who they may and may not talk to, and where they may and may not go. These rules are meant to be followed to the letter (the former director who used his home computer to create a top-secret document notwithstanding). Any violation of these rules means that security may have been compromised. I'm sure that potential security breaches worry the CIA brass just as much as actual ones, because when you find a hole, you really can't be certain that something didn't get in or get out through it.

    Unfortunately, the above rules conflict with basic human nature. We are inquisitive animals, and we want to explore systems, whether they are computer systems, social systems, philsophical systems, etc. As soon as people are told not to do something (especially if they aren't told the (real) reason for the rule), they become even more interested in the forbidden behaviour than they were before. If you restrict a person's freedom to explore, there is always the chance that he will go ahead and explore anyway, and if he's smart, he'll go to great lengths to avoid detection of his activities. (Hmmm ... sounds like one of the prerequisites for becoming a spook. Maybe they should give these guys medals.)

    I'm not really surprised that this happened, but if the CIA were really as paranoid about security as they should be, this would have been uncovered much sooner.


  • What is the great danger of running a chat server again? Who was it that was going to 'root' their box?

    Most of the data is probably on a need to know basis and compartmentalized on the systems. In this case, outside means from one office to the next. The idea is that even with the best background checks, someone could manage to slip in. The less each person is told, the less they could leak. The IRC server probably violated the compartmentalization (at least potentially).

  • Re:Policy (Score:1)

    by jjr ( 6873 )
    Wait a minute? Is Slashdot considered work related?

    Nope but I get permission to look at it. :)

  • Re:Why punish their best people? (Score:5)

    by BrianH ( 13460 ) on Saturday November 11, 2000 @12:22PM (#629941)
    I agree that it would be rather dumb to fire someone over this, but disciplinary actions are deserved.
    1. The CIA network, by its very nature, must be one of the secure LANs in the world. By installing unapproved software on an unapproved server, they may have inadvertently placed the security of the entire network at risk. While the article dosn't specifically mention what software was used, I seriously doubt that a security audit was performed on the source to verify that it wouldn't open up any holes.
    2. The chat room created the potential for inadvertent security leaks by allowing unmonitored communications between non-authenticated personnell. Think about it this example, two CIA buddies regularly converse via this chat room during their lunch hours. One day, someone else (either internal or external to their network) gains access to the chat room and masquerades as one of the two regular users. When the other guy comes on, he sees the screen name and automatically assumes that it's his buddy, mentally placing him in the trusted category. Now, when this guy asks him what he's doing today, he probably wont think twice about telling him. Voila, he's just breached national security without realizing it.
    As I said above, these guys should be disciplined, and they should probably be forced to re-take the security training classes, but they have showed creativity by solving what they saw as a communications "problem", and by keeping it operational on a heavily secured and monitored network for over a year without detection. These sound like the kinds of guys who would make excellent electronic intelligence agents.
  • how long was this going on before management/IS/whoever noticed? months (like the microsoft thing), years? I wouldn't be too quick to congratulate them for watching their network.
  • It's pretty obvious you've never worked for the U.S. Government...
  • What this article doesn't point out is the difference between a classified network and a normal network. On a classified network there are both unclassified and classified accounts. All software installed on a classified computer must be approved for use on the network. This often requires a strong investigation into the security of the program. I work for a defense contractor and we had a very hard time getting emacs installed because it had to be proven to be secure. If a person on an unclassified account was able to exploit this apparent hacked together chat program running on a classified account, then he could theoritically gain access to classified data. The threat is real and there is usually a seperate network that is unclassified that is open to the internet which should of been used for such a system. Something that is rather interesting is that Internet Explorer is considered to "insecure" to be used on both an unclassified network and classified network.

    Although it might not seem right at first, these employee should be punished as this was a true security violation. The best way to secure a network is to not to avoid things that are known to be unsafe, but only allow things that are known to be safe.

  • Like it or not, this is really no different than the reaction most companies (note the lowercase c) would have in this same situation.

    It is not too hard for me to imagine a company freaking out if an employee, without permission of IT or whoever, set up an IRC chat server within the company network to chat with coworkers.

    I've dealt with (but not worked directly for) companies in that past that won't allow their employees to even run IM clients like AIM or ICQ due to fear of them wasting time and goofing off...Having an internal server running on a company system without permission just adds (in the PHB's mind) to the inappropriateness of that goofing-off action.

  • The main problem here is that there is a big difference between national secrets and software secrets and ideas. The concepts of physics are not secrets because they are obvious and necessary in many situations. But if you have step by step discussion on how to make say hyrodgen warheads in a secretive environment it is not very appropriate. A country like China dosn't have those little things we call a sense of ethics concerning the use/abuse of nuclear weapondry. Nations have to keep secrets all the time to defend against the possibly indefensible. It's all about strategy.

  • The Company for response to accusations, seems to preclude the employees the ability to consult with legal counsel, given that clearances take months to be approved

    For the job I'm currently working, I had to sign an Employee Dispute Resolution agreement. It basically says that I can't sue them and they can't sue me until we have gone through a resolution process, which involves at some stage an outside mediator. The result is that most disputes are handled internally, without causing harm to the company while still providing a resolution satisfactory to the employee. Signing this made me very nervous, needless to say, but after reviewing the procedure, it seemed reasonable to me.

    The point is, if my non-Top Secret company had such an agreement, it wouldn't surprise me if the CIA, a group which would be very concerned about public resolution of disputes, had such an agreement.

  • Isn't it because, as it's CIA internal stuff, and legal council would have to get security clearance in order to work with them?

    I mean, seriously. THe people involved her have security clearance, are supposed to be EXTREMELY WELL TRUSTED.
    Finding out they did something that was against policy.. what do you expect?

    Besides.. they don't *NEED* to consult with legal council; nobody's putting them on trial!
  • Its funny to see how most of the moderated-up comments are pro-control. When they say "national security" then anyone in US walks on their ears... its like holy mantra. I think this so called "national security" is bullshit. How many secret agencies does US have ? How much does it need ? Lauri, who has never been in US and never will.
  • Consulting with legal counsel doesn't mean that they're being put on trial. Consulting with legal counsel would would be getting advised on any course of action they should take. Just like if you're arrested, you don't have to answer any questions without first receiving legal advice, either from your own lawyer or one they give you. It's simply smarter, if you could possibly be put on trial, to get some sort of legal consultation beforehand.

    And yes, you're right, they would have to get security clearance. The thing is, the article is claiming that they weren't allowed time. That's what bugs me: that it's claiming they were only given five days from start to finish, instead of the actual six months (at least) that this has been going on. These people knew they were in trouble of some sort six months ago when they were suspended. If they were going to seek legal counsel, they should have done it then, not waited until they were ordered to turn in a written explanation of their actions.

    Basically, all that I'm saying is that whoever said they weren't given time to consult is wrong, and that whatever trouble these people get in to for not consulting over the period of those six months is their own fault.

    -G
  • I don't see anything wrong if people try to make their work a bit more 'live' Your holy work is a part of your life anyway... or if you want to be serfs, then go on.

    What contract... hey those contracts are just a bit of bureucracy, nobody cares about them in real world.
  • I think the whole "National Security" thing is bogus, too. So, that makes at least one American on your side!
  • ... but I can see both sides of this. Yes, it is possible that installing a chat server (the type was never specfied) on a government high security computer is a Bad Idea(TM). It is also likely that some time-wasting activities ensued. On the other hand, I use an instant message client at work, sometimes receiving assignments in this manner. Of course my job does not require a security clearance. I might also point out that I have very occasionally learned things on IRC that have made my job easier. Don't try to tell your boss you are on #l33t_h4x0r for research though!
  • You're way behind the curve, man. Do you think it will do you a lick of good to encrypt emails, if when you're typing those emails in the first place, they appear on your screen open wide to the whole world?
    Do you think the hardware keystroke monitor you look for in the back of your computer can't just as easily be incorporated into the motherboard? These corporations have deep pockets...

    That's old shit man. What do I do?

    A) I use special goggles (LCD ones that emit NO radiation someone might peek at to follow the refresh cycle)...but, of course, you can't just plug that into a computer! They could have the video card tapped!

    No, what these bad babies do is run strong encryption on anything they see that has their "encryption tag" on it...Anything on the computer screen between certain tags (they look like funky barcodes) is translated using 128-bit RSA encryption into a corresponding real image. They work within a 100 degree field of view, take megapixel shots, and analyze them surprisingly fast (you get like 3 fps), putting them back in the same aspect they were originally in. So you end up with a screen that has part of it looking like it has static on it, the rest normal. When you put on the goggles, you get the static stuff to look normal, except only changing about three times per second. Naturally, the rest of the goggles (the part not doing any unencrypting) have good refresh rates, so everything else looks the same as without the glasses.

    B) But then, of course, it's not enough to have the computer print out garbled (encrypted) output, They could just have memory snoops! So, what I do, is I run NOTHING on my local machine. I run it all off of a server I have set up at home for which I have, essentially a custom remote access tool, which will serve you a page that via java gets the garbled screen (that is, its not even sent out unencrypted) and puts it out on your screen. Of course, it doesn't get plaintext keyboard/mouse commands, either, which brings me to

    C) I use a special mouse and keyboard which both strong-encrypt (again, 128-bit) every keystroke and mouse-movement (each key ends up sending a few hundred, each mouse movement, too, since for java reasons I send only ASCII text keys and translate everything into that), and so it's no problem if They see exactly what's sent out from the keyboard...They'd have to see the keyboard physically to know what keys I'm hitting....which, of course, They can't, because I cover the whole portion of my desk that I type over with a thick blanket of industrial-level (not just medical-level) radiation shielding that blocks all visual clues to where my hands are, as well as infrared and xray. Not even radio noise escapes, which might otherwise let them analyze what the keyboard does internally. A portion of the shileding even goes all the way to my elbows, so They can't analyze the muscle movement of my forearms to see what keys I might be pressing.

    D) The mouse and keyboard have a private key based on the goggle's changing public key, and my home server invalidates them every 15 seconds, so that when the goggle is not connected to the keyboard/mouse, or to put it another way, if the keyboard and mouse are every picked up by Them and anaylzed, They won't be able to talk with my server anymore. So how does the goggle get its private key? Based on both 1) scanning my retina, which alone isn't enough, of course, since They could also do that and get my private key anytime, but also 2) having a SHIELDED component that accepts a miniture disk with closed casing that's light-encoded, so that with a single motion I can destroy all data on it by exposing it to light.

    Now, granted, it might seem excessive to spend upwards of $75,000 on equipment only to end up wearing this heavy goggle set physically connected to a keyboard and mouse that are all under heavy xray/radio/infrared shielding, but, gentlemen, I assure you, with my setup, I can be totally 100% sure that my Company has absolutely no idea that I'm really just playing Quake. And that kind of peace of mind, my friends, is worth 3 fps.

  • Re:Understanding a classified network (Score:3)

    by bellings ( 137948 ) on Saturday November 11, 2000 @03:56PM (#629956)
    Another problem with Emacs is that noone is there to guarentee it's security.

    Has anyone ever actually tried to audit Emacs for security?

    Has anyone made any real effort to assure there aren't any dumb bugs in, say, the emacs built-in news reader that might allow a malicious news message to run arbitrary emacs code? Are we sure there aren't any bugs in Emac's C source parser, formatter, and x-ref facility that might allow arbitrary emacs code to be run? Has someone checked the vi emulation package with a fine tooth comb? What about the built in mail reader? What about the built-in Zippy the PinHead quote generator? What about the Eliza package? What about the Emacs web browser? Do I have any assurance that a malicious web page can't run arbitrary emacs code? What about the Emacs Slashdot reader? Is that secure?

    I guess what I'm saying is that Emacs is a huge beast of a program. It contains its own nifty little byte code virtual machine with a lot of nifty hooks into your environment, and its own nifty lisp compiler that targets that virtual machine, and its designed to be easily extendable by its users, loading and running new code into that virtual machine at the drop of a hat. Its a great program if you like to reprogram your editor while you edit. Heck, you can even easily let your documents reprogram your editor, if you use the file-local-variable stuff. But has anyone examined Emacs closely to determine if any of the things Emacs does are all done securely?
  • A country like China dosn't have those little things we call a sense of ethics concerning the use/abuse of nuclear weapondry.

    We didn't either before dropping two on civilian populations. Even then, it took the media to report all those horrible effects that the bomb had on those exposed to the radiation and the environment before we Americans realized the horrors we unleashed. Apparently, China has yet to drop a single one on people.

  • China (Score:2)

    by troeg ( 203820 )
    So much for keeping our intellectual secrets from China. Oh wait, they already know how we make our nuclear bombs.
  • The CIA exists for reasons of national security of the UNITED STATES

    Ha! So helping rebels overthrow their government is part of the national security of the UNITED STATES? So, tell me, do you also believe in Santa Claus?

  • The article spoke of passing around jokes and the like...this doesn't sound like a part of doing their job effectively.

    I am surprised that 160 CIA employees would get together to use a secret chat room.

    And you would do what? Slap chains around their ankles? If you didn't get riots you'd get some quite demoralised and less effective workers. They should be (and hopefully are) trying to work out what's wrong with the working conditions that caused people to do that -- not slapping punishments on everyone, demoralising them even further.

    What I'm trying to say is that if 160 people are breaking the rules, obviously the rules aren't designed well enough to accomodate people effectively. When rules are made too inflexible to fit people, they'll get broken and so there's not much point in having them anyway. Show a bit of respect by allocating some freedom for people and they'll usually surprise you.

    The CIA is a special case and there would be some specific things that couldn't do, but it's in everyone's best interests that the people working there are enjoying what they do. For example, if they don't want unchecked s/w running on their network, perhaps they need to create a seperate intranet where employees can run unchecked s/w.


    ===
  • Excuse me if I'm wrong, but if you work at the CIA, you're not there to chat. You're there to do work. The CIA has every right to be mad.
    Wouldn't you be mad if you went to the DMV to take a driving test, and they said, "Come back Friday, I'm in a chatroom right now...?"

    --
  • I work for a directorate of the Office of the Secretary of Defense. We have three networks, one unclass, one connected to the SIPRNET, and our private intranet, which is also cleared for materials up to SECRET. The intranet is not connected to any other network. There are no uncleared accounts on our classified networks. The very idea fills me with horror. You have uncleared people with accounts on your classified network!?! What contractor did you say you work for?

    Anyway, no one gets an account on our network without a clearance. It's not a big deal to install software on the intranet because you can't unknowingly open a hole to the Internet or SIPRNET -- they're not connected. And there's no uncleared personnel with accounts. (shudder.) The network links cannot be monitored without breaking the military-grade encryption.

    I would assume that the CIA likewise does not have any uncleared personnel on their network, so the scenario you propose does not apply.

  • In an age where most companies embrace chat/irc/etc. for communication for their employees, the spooks take it 10 steps back and go on a witch hunt for people using IRC!

    Sorry, I have to disagree. Consider this: Every second those "hackers" spend on chat/irc/etc. is a second wasted when they could be doing something constructive, like, their job.

  • It sure is a good thing I don't work at the CIA!
    It has been months since I've made it through the day without either using IRC
    or playing a few (10 or 20) rounds in Counter Strike.

    I work at an educational institution. Particularly, one with a limited amount of intelligence.

    Don't trust the spoons.

  • Shhhh.... (Score:5)

    by SEWilco ( 27983 ) on Saturday November 11, 2000 @11:29AM (#629965) Journal
    "Hey, I think the boss knows about this."

    "Don't be paranoid, what do you think this is, the NSA?"

  • No, no, no! The whole reason the media likes to shout that every story is about our "national security" is to peak people's interest so they don't change the channel back to "Friends" or "Just Shoot Me". We Americans seem to enjoy being scared out of our wits, considering the popularity of UFOs who anal-probe people, people losing their identity on the Net, or smoking cigar guys walking around in your underwear at your house.

  • Get back in your box *thwap* (Score:3)

    by fjordboy ( 169716 ) on Saturday November 11, 2000 @11:40AM (#629967) Homepage
    "innovative, out-of-the-box, unconventional thinkers
    Someone at our government being unconventional? whoa....whoda thunk it?

    But really, these people work at the CIA, did they think they wouldn't get caught? or were they expecting to lose their laptops before they did get caught.....

  • I'm sort of split on my opinion on this. I'm a big advocate of privacy in the workplace, and I can certainly see why this would cause some concern on that ground. On the other hand, the CIA is not your standard business. The Company has, and has always had, very specific and clear concerns about information flow, and I can't help but assume that the workers involved were aware that what they were doing would be against Company policy. In other words, privacy is good, but should it have been expected in this situation?
  • Um. There is no `outside' to a network like this.

    In these days, people expect that all networks are connected somehow, because the Internet is so ubiquitous. But this wasn't always true. I'll lay down good money that the CIA's internal network isn't connected to anything else. The people on the network all have clearances. The connections on the network are all encrypted.

    Now, I don't know how strict the CIA is about their policies... but consider: Suppose there are 200 computers networked together inside the CIA headquarters in a secure area (accredited for open-storage of classified information). Those computers aren't connected to anything else. The hard drives are removed from the computers and locked in safes when not in use. There are alarm systems with motion sensors and armed guards. To get an account on the network requires having a clearance on file. What is the great danger of running a chat server again? Who was it that was going to 'root' their box?

    I don't work for the CIA, but I do work in an environment similar to this. Don't make assumptions about their security by comparing it to something you're familiar with.

  • "The serious thing for us is people willfully misusing the computer system and trying to hide what they were trying to do," said one intelligence official. "If they were doing this with the KGB's computer system, we'd be giving them medals. Sadly, it was ours."

    Now here's a perfect double standard. Fuck with the enemy's systems, and we'll give you a medal. Do the same with ours, and we'll shoot your ass. The funny part is that it was a chat room. Chat rooms are forums for essentially free speech. So the enemy probably would shoot you for attempting to practice your right to free speech. Thus, we have a situation here where they'd be damned by both sides.

    This has all the smell of bad political infighting. As the Washington Post article points out, it seems "highly suspicious that all of those supervisors, not to mention the numerous component network administrators and security personnel, were unaware over a period of years of illicit computer usage by a group of 160 personnel". So something happens, and somebody who does know about this particular skeleton digs it up and uses it against "several officials, including members of the Senior Intelligence Service, a cadre of career officers at the upper reaches of the civil service system". They wind up with letters of repremand in their folders or worse, fired. In any event I strongly suspect there's a lot more going on that we don't know about - yet.
  • The Associated Press just released an article on this topic.

    Spy Agency Investigating 160 Employees, Contract Workers for Unapproved Site [tbo.com]

    WASHINGTON (AP) - The CIA is investigating 160 of its employees and contract workers for exchanging "inappropriate" and off-color messages on a covert "chat room" in the spy agency's classified computer network, The Washington Post reported.

    more [tbo.com]

    --
  • uuh..no. the CIA personnel are there to gather intelligence. if chatting helps them to their job better and interface with friends why stop them ? plus it teaches them computer skills which would be useful in practical terms - evading admins/setting up hidden software etc. granted that the CIA doesnt do any useful job anyway....

  • Why punish their best people? (Score:4)

    by Tor ( 2685 ) on Saturday November 11, 2000 @11:34AM (#629973) Homepage

    Seems like these guys are really good resources to understand and deal with computer crimes and other computer-related operations. Why would CIA want to criminalize them, leaving only meek people behind? Sure, that's gotta make them more savvy and efficient as an organization.

    Seems to me that what these people were doing is pretty harmless from a national security point of view. If their management does not trust their intentions and their judgement skills, they should not have hired them in the first place.

    Now, instead, they will make CIA an organization only for dead weights.

  • Re:Two ways to see it (Score:3)

    by 91degrees ( 207121 ) on Saturday November 11, 2000 @11:43AM (#629974) Journal
    I'm more of the "What the hell did they think they were doing" mind. You seem to mention that the CIA is "not your standard business" as an aside. I think its the most important point. These people should expect to be spied on. They are in a highly trusted position. These machines should be as secure as possible. Running unauthorised software on it, even a home written version of "Hello World" should not be allowed. These are key machines. They should be as secure as is humanly possible. The rules should not be stretched, bent, or broken, no matter how stupid. These people should be perfect. They should not have any privacy from their employer, and they should accept that.

  • And the chat room's subject would be.... (Score:5)

    by MathJMendl ( 144298 ) on Saturday November 11, 2000 @11:43AM (#629975) Homepage
    seineeW erA srekcaH IBF
  • In counterpoint, how many of us are reading Slashdot, or are on IRC, or whatever in a little minimized window or in a window on a different part of our desktop while we are at work? Are we really in a position to judge? Also, they get coffee breaks and lunch breaks too, and I don't see why CIA would have a right to get mad if they were using *that* time to be in a chatroom..
  • What, you think the KGB and the CIA are equivalent? Perhaps morally equivalent, but morals are not what government is about. The CIA exists for reasons of national security of the UNITED STATES, and the KGB exists, putatively, for reasons of national security of RUSSIA. Those reasons are not the same!!

    If you work for the CIA, things that you do to further US national security, even if they might harm Russia to some degree, are rewarded by the US. Part of the CIA's job is to find out things about Russia that the KGB might not want to tell the US.

    On the other hand, if you work for the CIA, things that might *harm* the US are punishable, and should be. There is a fundamental asymmetry between Russia's interests and America's interests that distinguishes between these actions.

    I find it quite naive of you to suggest that this is primarily a free speech issue. The CIA does not provide computers and networks to further their employees' free expression. In fact, public expressions of secret information are often punishable, regardless of the First Amendment, because, according to the classifying authorities, such disclosure would cause some harm, or risk of harm, to the US's national security. I am sure that the CIA employees have had this explained to them, and agreed in a legally binding way. Your First Amendment arguments are a red herring.

    Chat rooms are potentially forums for exchanging *information*, and *information* is what the CIA deals in. Furthermore, installing this software creates connections that might allow the network to be accessed from the outside, which is an additional risk.

    I don't understand at all what you mean about the enemy "shooting you" for practicing free speech.

    I don't disagree that there is some bureaucratic infighting going on. What do you expect in a government bureaucracy? Some sort of utopia for hackers and "free" speech?

    Everytime I feel compelled to explain things this obvious, I worry that I've been trolled.
  • How is this a double standard? In the army, if you shoot the enemy leaders, you're a hero.. If you shoot your own, you're a traitor.
  • I didn't! It truncated it and wouldn't let me edit it! This did NOT happen in preview mode. Fsck that.

  • Not a surprise (Score:4)

    by Amigori ( 177092 ) <eefranklin718 AT yahoo DOT com> on Saturday November 11, 2000 @12:39PM (#629980) Homepage
    On the government computer systems that I help administer, we find unauthorized software on our systems on a daily basis. Our users are required to sign User Agreements that say do not install any unapproved software, but they do it anyways, always thinking they won't get caught. Unfortunately for us, when they do get caught, management usually dismisses it, saying we are a customer based organization and the customer, no matter how stupid and wrong, is always right. They always go free with no punishment. I don't think these people will be so fortunate. The programmers who did this should be promoted, while the management should be fired or relocated to a "radar tower in Alaska."

    I found it interesting, that the article said, "...which CIA investigators discovered while performing routine computer security checks..." Then later said, "...'This activity has apparently been taking place for some time...'" If it was a routine check, then shouldn't they have caught it before it got out of hand? The only reason they didn't, that I can think of, is they wanted to catch the guilty parties involved. I don't feel sorry for any of the parties involved because they breached their contract.

  • Comment removed based on user account deletion

  • I read this because my original somehow got moderated up :o

    Yeah, I want people who can follow orders working for Our Intellegence Community too. (*sigh*) I guess I can't have my cake and eat it, too...

  • No, you misunderstand. As I assume you know there is a difference between being "cleared" and having a need to know. If you have a large system of many different parts, you don't want to give access to everyone who gets a simple security clearance. So, someone can have an unclass account on a secret network who has clearance but no need to know for certain classified data. A network with no security hierarchy would seem to me to be a scary thing. And, SIPRNET is indirectly connected to the internet. And you right, all communications are encrypted, but it's still a hole. Internal theft is not that big of a crime, but I have work on systems in other countries and Internal theft is one of their top priorities. Take the breaches at Los Alamos for example...
  • Will we ever know how the "chat room" was setup? i.e. Did they set up a 31337 IRC server, or did they hack together their own service?
  • Somewhere out there a poor script-kiddie got a hard-on.

    The rest of us are disgusted at the use of the word illicit.

  • Just saw the movie last night:
    were here to defend democracy, not practice it
    FunOne
  • ...they should market this!

    I can see it now: "Use CIA-IRC, the server used internally by the CIA!" Give the hackers a kickback, keep the rest of they money to fund black bag ops or something.

  • I agree...I work for a market research firm...not the CIA...and I most certainly have full privs on all of our servers - unix and NT - and could most likely set up my own IP and chatroom without too many people taking notice...but if I did that, I would a) consider it wrong, and b) expect to be punished if caught...

    who are these twits? how many of us would do this without permission at our places of employment? ...not too many, I suspect, unless we're in the position of the person who needs to give the permission.

    I don't find this incredibly newsworthy, other than the fact that operating something like a chat room just provides yet another hole that some unscrupulous person could use to gain access to information. At my place of employment, that would most likely be data about something ridiculous like cat food or toilet paper. At the CIA, the information that they could gain access to is MUCH more sensitive. I applaud any disciplinary action against these two "hackers".

    PS ...and if you're a real "hacker", you'll set up the chatroom on SOMEONE ELSE'S server without them knowing ;) Doing it on your own servers is no challenge...
  • And what exactly is !")? meant to look like?

    Perl.

  • "I'm sad to see that, as usual, the control freaks of the world are eager to lynch anyone who makes 'unauthorized use' of a computer."

    In this case, it wasn't just "unathorized use." The chat room was inside a classified network. Even though the CIA admitted that nothing was compromised, in due time, it may have been. Having a publicly-accessible chat room on a network just like the CIA's is an invitation to jump into the network, and that's a big security no-no.

    Read the article next time. HTH HAND

    --
  • Plus they were more or less allied with the soviet union back then, a group not exactly known for their kindness and generosity.

    Yes I do know history and I believe that using the bomb was a necessary political meanuver to prevent from having the soviet union have a massive foothold in southeast Asia.
  • Dude, if you were that conspicious about wanting local admin on your NT machine, you're probably at the top of the list of people to watch. There's more anonymity and privacy to be gained from appearing to blend with the crowd that from relying on your technical prowess, however awesome it may be. Hell, they could point a good old fashioned analog security camera at your keyboard if they wanted, and you'd never be the wiser.
  • The "secrets" were well-known; hundreds of lab animals died as a result of radiation exposure during tests leading up to the first detonation, and investigations into the plants and animals that survived the initial test blast led us to a fairly detailed knowledge of the effects. Read up a little on the history of the drops; Truman really struggled with this decision, and the only reason a second was dropped was because the Japanese began to redouble their efforts to build a defense for an invasion. It wasn't until an official communication to the Japanese government that we had more (whether we actually did or not seems to be a matter of debate), and the will to use them, that the Japanese realized how futile it was to continue the war effort.

    China may be more likely than most to use the bombs, but that does not mean that they will sleep easily. Whoever gives the order knows that tens of thousands of innocents will die, too, and while it's possible to assert that "the enemy" has no ethical block to using such weapons, I'd invite you to examine the suicide rate of anyone responsible for the launch anywhere in the chain of command that survives the inevitable response.
  • A smart manager might ask, Why was this software installed and why was it so popular?

    A smart manager would have made sure that the work environment is such as not to make it necessary for the employees to install gunauthorized softwareh in the first place.

  • >The Powers That Be in The Company must feel that they are "in control."

    Well, yeah, they must not only feel it, it must be TRUE for them to do their job effectively! What are they, the Boy Scouts? It's a US government intelligence agency, for Pete's sake!

    Either secrets are worth keeping, or they are not. The CIA must maintain solid control over its infosystems. What's so hard to understand about that?

    Would you let a luser make arbitrary modifications to inetd.conf, install their own CGIs or just su to root whenever they felt like it?

    >The Company doesn't want stars, they want people who follow orders and procedures.

    Good. I want that at the CIA too. Those guys have an important job, and they should do it right. They aren't paid to chat each other up in some stupid non-approved app.

  • Is Slashdot considered work related?

    Err, reading Slashdot is an efficient means through which I can stay current on various developments within the computing industry, thus allowing me to more effectively do my job. At least that's the rationalization that I'm sticking with.

  • It's National INTEREST. Unfortunately, the world is in a state of anarchy with every country out for itself. There's no "Daddy" to discipline the bad countries and reward the good ones. The only solution to this is a world government, and don't expect one anytime soon. It mainly depends on your beliefs, if you like the system or not. I see the logic behind the duality of morals theories (Go read some Thucydides). And actually like them. Moral actions are for the individual. The state's only responsibility is to look after the well being of its own citizens. If you disagree with me, go form a world government that works. :P
  • Or if you look at it another way, They are doing an EXCELLENT job because we don't even know what they are doing....for all we know, they might have prevented 4 nuclear world wars, we just don't know it. So while we are busting on them for sitting on their lazy butts in chatrooms, we might have agents in the field that are protecting our welfare....if we don't know how well of a job they are doing, that must mean they are doing an excellent job of keeping it all really lowkey.

    Or, maybe they do suck at what they do and have us think that they suck at what they do so that we think they don't suck.....erm...that didn't make sense.

  • Re:Two ways to see it (Score:3)

    by T-Ranger ( 10520 ) <jeffw@NoSPAm.chebucto.ns.ca> on Saturday November 11, 2000 @11:49AM (#629999) Homepage
    Exactly.

    As the Captian from Chrimson Tide put it so elequently:
    were here to defend democracy, not uphold it.

  • I have this picture in my head of Tom Cruise hanging from an air vent and installing BitchX on his laptop...
  • "If they were doing this with the KGB's computer system, we'd be giving them medals. Sadly, it was ours."
    So how are they going to perfect their 1ee+ h4x1n6 sk111z if they can't practice on their local system?

  • Policy (Score:3)

    by jjr ( 6873 ) on Saturday November 11, 2000 @11:55AM (#630006) Homepage
    Hey this violates the CIA policy then they should get repremaned. At any job if you use the computer for non work related items without permission then you will get in trouble. Hell this is the CIA. I am not surprise they are finding themselfd without a job.

  • Re:Policy (Score:5)

    by atrowe ( 209484 ) on Saturday November 11, 2000 @11:57AM (#630007)
    "At any job if you use the computer for non work related items without permission then you will get in trouble"

    Wait a minute? Is Slashdot considered work related?

    Gotta go!

  • "Media Making Big Deal Out of Nothing" (Score:3)

    by Dwonis ( 52652 ) on Saturday November 11, 2000 @11:59AM (#630009)
    It looks like simple security policy enforcement to me.

    Think about it: they ran a public server from an internal network that has access to sensitive information. This is very bad, security-wise. What would happen if somebody outside rooted their box? Depending on the information that could be accessed, people could die because some morons were running some IRC server.

    This wouldn't be the first organization that's fired employees for breaking the security policy. This story fills me with nausea.
    --------
    Life is a race condition: your success or failure depends on whether you get the work done on time.
  • If those CIA computers have keystroke monitoring software/hardware installed, I certainly hope they're connected in a way that doesn't allow someone other than their boss to monitor them.

  • Virtual Water Cooler (Score:3)

    by Detritus ( 11846 ) on Saturday November 11, 2000 @01:20PM (#630017) Homepage
    I'm sad to see that, as usual, the control freaks of the world are eager to lynch anyone who makes "unauthorized use" of a computer.

    I'm just waiting for the day when everyone gets a neural implant that automatically detects non-business related thoughts during company hours. After all, we provide the air that you breath. It is against company policy for anyone to have independent thoughts while breathing the company's air.

    Just because you can legally treat your employees like serfs doesn't mean that you are obligated to do so.

    A smart manager might ask, Why was this software installed and why was it so popular?

  • "The Company has, and has always had, very specific and clear concerns about information flow..."

    Good point. The CIA might have situations where they depend upon compartmentalization: they might give the same data to two groups and compare the results, or they might give pieces of the data to different groups in an attempt to disguise a common origin. The organization may prefer for information to not leak between groups.

  • While I might normally agree with your "he who is without sin gets to cast the first the stone" argument, I'd have to say that at my workplace Slashdot goes through a proxy/firewall and I'm forbidden by company policy to install unauthorized software on my desktop. Web pages in general would therefore be perhaps off-topic and constitute "theft of time" from my employer, but they would not be a security risk in any sense of the word. As far as IRC, depending on how that was conducted, it might or might not consitute installing unauthorized software. If you are installing mIRC against policy, that's no different than any other package... but if you are simply telnetting to a shell on a different machine, that probably didn't require the installation of new or unauthorized software (given the default inclusion of telnet in most desktop packages). If the CIA has a policy and these guys broke it, the commonplace nature of the violation does not make the violation less a violation. By the same argument, driving over the speed limit should exempt drivers from the speed limit as long as they are all doing it.

  • I'm Missing The Problem (Score:5)

    by Hrunting ( 2191 ) on Saturday November 11, 2000 @12:03PM (#630029) Homepage
    The article says:
    The CIA is investigating 160 employees and contractors for exchanging "inappropriate" e-mail and off-color jokes in a secret chat room created within the agency's classified computer network and hidden from management.

    And then it says:
    If they were doing this with the KGB's computer system, we'd be giving them medals. Sadly, it was ours.

    Umm, if they were sending around dirty e-mails and fart jokes around KGB computer systems, I doubt we'd be giving them a medal. I think it'd be more like "Why were you dicking around on their computer systems and not gathering information?"

    And how come everyone who "thinks outside of the box" is automatically a geek and a hacker? Where I work (which is not the CIA), we reward people who think outside of the box, but we'll also fire in a heartbeat those people who abuse our systems, even if it's something minor. Why? The reason is that when someone abuses something for a harmless reason, there's no reason that they might someday cross the line and abuse it in a very damaging way. It's about responsibility and decision making capabilities. If they can't conduct themselves in a responsible manner, they're a potential liability. Whether they think "outside of the box" or not is irrelevant. Conduct and action do not have an effect on the ability to solve problems.

    Frankly, I'm glad that the CIA is watching their internal networks and trying to maintain good employee conduct. I wouldn't want some care-free hacker in charge of maintaining information that, if put in the wrong hands, could endanger the welfare of the country, just like I wouldn't want some carefree hacker on my computer network doing things that could possibly make my work day more hectic.

  • Re:Shhhh.... (Score:4)

    by atrowe ( 209484 ) on Saturday November 11, 2000 @12:07PM (#630033)
    (Boss walks around the corner and catches a glimpse of your screen)

    "Just what the hell are you looking at? Is that a picture of a man spreading his asscheeks?"

  • I slightly disagree. It is not about security vs privacy only. A complete control over information flow is a chimera. Any attempt to achieve it results in practically no information flowing at all. The CIA has goals, and the most important one of them is to provide information to the government.

    if senior employees have keystrokes monitors, that means that all communication between them is 'official' and vetted by their back-of-the-head-lawyer. This should be devastating in an organization whose purpose it to evaluate and analize information.

    There a tradeoff here between security and being able to successfully do the job. Out of fear of scandal and the desire to cover their ass the CIA has compromised its usefulness in the interest of security ( job security mostly).

    At the end of the day, the price of this attitude is dead Americans in botched or badly conceived missions.

Slashdot Top Deals

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Close