Forgot your password?
typodupeerror

Military Secrets for Sale on Stolen USB Drives 225

Posted by samzenpus
from the find-the-battleship dept.
nTrfAce writes "Per a BBC Article, "US forces in Afghanistan are checking reports that stolen computer hardware containing military secrets is being sold at a market beside a big US base. Shopkeepers at a market next to Bagram base, outside Kabul, have been selling memory drives stolen from the facility, the Los Angeles Times newspaper says.""
This discussion has been archived. No new comments can be posted.

Military Secrets for Sale on Stolen USB Drives

Comments Filter:
  • Strong encryption (Score:4, Insightful)

    by VincenzoRomano (881055) on Thursday April 13, 2006 @05:10AM (#15119547) Homepage Journal
    I hope that those soldiers were using strong encryption for file systems.
    I hope that those soldiers were not storing sensible data on those drives.
    I hope that those soldiers were not storing weird photos involving prisoners ...
    Real world tends to be different from hopes!
    • by meringuoid (568297) on Thursday April 13, 2006 @05:16AM (#15119563)
      I hope that those soldiers were not storing weird photos involving prisoners ...

      If soldiers have been abusing prisoners, I'd prefer them to photograph themselves doing it and then store those photographs on disks which are later stolen and leaked to the press.

      Otherwise, how will we ever know what our armed representatives abroad are doing in our names?

      • Otherwise, how will we ever know what our armed representatives abroad are doing in our names?

        But shouldn't soliders have the right to strip prisioners naked and photgraph their anuses, without fear of government surveillance?
      • with every leak of photos I now realise that not only are they abusing prisoners (in my name), but I've seemingly armed a complete bunch of retards.
        At least if they kept the abuse quiet, whilst it would be equally bad, I'd know we only had abusive non-redneck-retards.
      • There is already ample evidence. vv
    • Re:Strong encryption (Score:3, Informative)

      by Saven Marek (739395)
      > I hope that those soldiers were using strong encryption for file systems.

      Remember encryption isn't the be all and the end all. What happens when you lose your own keys?

      And keys on a laptop itself, well that's all portable too. Laptop + usb key means nothing since you have to carry the encryption keys with you. Without doing that your data is useless, and carrying them with you means when the laptop is stolen, you have the key stolen with it.

      Instant access to your data. If they have your key they also c
      • Losing your key is just like losing your data... it's not called "lost" for no reason. And what happens? You learn a lesson.

        And no, encryption might not be 100%, but it's still more than 0%.

        (But then I couldn't exactly be able to trust someone to look after information if they can't even look after physical objects)

      • If they have your key they also can unencrypt anything else of yours


        Darn, so all those passphrases I keep in my head get magically stolen along with the key they go with?

        What kind of idiot keeps keys that can decrypt everything they own on a portable device, but doesn't make it so that you have to know a passphrase to use the key?

        Well, leaving aside government users.
    • Data could have been wiped first, to help them in their denial as to where they were stolen from (or that they were even stolen).

    • I hope that those soldiers were not storing sensible data on those drives.
      just our battle plan for the war on terror, that's not sensible enough to worry about. oh, you meant sensitive?
  • by Anonymous Coward on Thursday April 13, 2006 @05:13AM (#15119550)
    ...but how do they know the 'secrets' are actually that and not some kind of decoy?
    • Short answer: they don't.
    • by mrogers (85392) on Thursday April 13, 2006 @06:49AM (#15119729)
      Military Intelligence has released a list of the secrets that have been recovered and those that are still at large. Among the recovered secrets:

      • The B2 Stealth Bomber is just a decoy made out of balsa wood and black paper; smart bombs are actually delivered by UPS
      • Lee Harvey Oswald acted alone; the FBI and Secret Service were so embarrassed by their failure to protect the President from some wandering nutjob that they spent the next 30 years trying to create the impression there had been some kind of conspiracy
      • A 1989 Cheers episode that made reference to the Kennedy assassination was seized by the CIA minutes before it was scheduled to air; the tape went missing, and so far 11 American civilians have been killed in the effort to prevent it reaching a wider audience
      • Aging Cuban guerillas launched a successful coup in Washington DC while the nation's attention was focussed on the last episode of Sex and the City. President-for-Life Fidel Castro described it as "a good day to bury good news".
  • Why? (Score:5, Insightful)

    by bl00d6789 (714958) on Thursday April 13, 2006 @05:14AM (#15119558)
    Let me be the first to ask: Why the hell is the military storing sensitive data on USB drives, which are prone to both theft and failure?
    • Re:Why? (Score:5, Insightful)

      by michaelhood (667393) on Thursday April 13, 2006 @05:19AM (#15119569)
      Policy and practice are often quite distant from each other in reality. Especially in government; military or otherwise.
    • Re:Why? (Score:5, Insightful)

      by 1u3hr (530656) on Thursday April 13, 2006 @05:23AM (#15119573)
      Let me be the first to ask: Why the hell is the military storing sensitive data on USB drives, which are prone to both theft and failure?

      Most likely it's just sneakernet; moving files from laptop to PC etc. After transferring the files they forget to wipe the USB stick. The army will probably try to stop this by mandating it not be done. Which will work for a while till troops rotate and a new batch come in. The only real solution is to physically disable USB ports, which would be difficult with the number of legitimate USB peripherals now. Otherwise everything needs to be transparently encrypted. The military fears losing access to critical data in battle more than possible security breaches though.

      • Re:Why? (Score:5, Interesting)

        by arivanov (12034) on Thursday April 13, 2006 @06:19AM (#15119678) Homepage
        The army will probably try to stop this by mandating it not be done.

        Once upon a time it could force that it is not done. This is what levels of security above C and OSes like Trusted Solaris were all about. Not about being unhackable, but about it being impossible to copy data from a higher security container to a lower. Granted, someone with high enough security clearance and rights to declare his USB drive "secure" could have gotten past that as well, but the average PHB wannabie corporate ladder climber could not do anything about it. He could not "take work home".

        This is also coming back. The slashdot crowd keeps bitching about Vista DRM being Digital Wrongs Management and being mostly promoted by pigopolists. Once again wrong. Along with AD it will allow any corporation to force a mandatory encryption policy on all the data on all media in the house at the click of a mouse. Throw in this the usage of TPM chips on all Vista ready PCs and this will make any data that a corporation wants to make unrecoverable without proper access credential on a PC really unrecoverable. All of this centrally controlled. This will also result in much faster adoption of Vista in the enterprise than people can even think off, especially for mobile devices.

        This also means that if Linux is to compete for the desktop it will have to have the same features regardless of Stallmans desires. This is one thing on which Linus is absolutely right. The usage of DRM by pigopolists is a current fad which is only a minor fraction of its actual use. The real use of DRM is to enforce a security policy on data across an enterprise. Having this will be essential to the success of any OS out there in 2-3 years. Also, there is no problem with DRM being opensource. Essentially DRM is nothing but a crypto application. Same as with every good crypto - having the source should not allow one to break it.

        • Re:Why? (Score:2, Informative)

          by blowdart (31458)
          Once upon a time it could force that it is not done.

          Whilst not as fine grained as you are talking about you can completly disable USB drives, at least on Windows 2000, XP and Windows 2003 by tweaking file system permissions or the registry. Microsoft even detail it in a knowledge base article [microsoft.com] and it can be enforced by a domain policy if you're running AD.

        • The usage of DRM by pigopolists is a current fad which is only a minor fraction of its actual use. The real use of DRM is to enforce a security policy on data across an enterprise. Having this will be essential to the success of any OS out there in 2-3 years.

          Sounds plausible, but there's a problem in your logic. Money.

          How much money is there in enterprise-level security? Now compare that with the balance sheets of the music and the film industry. Seems to me that the weight and influence of the those ind
          • Pure Crap.

            As much money as the music and film industry have, it doesnt hold a candle to the banking, financial services, legal services, and insurance businesses, all of which would be interested in the GP's DRM mention.

            Nice try.

            B
          • How much money is there in enterprise-level security?

            Well, as someone who makes a living in enterprise-level security -- there is an enormous amount of money in it. Most of the clients I work with consider spending $100 per year, per employee on workstation-level security a no-brainer, and are willing to spend significantly more, and that doesn't even consider the back room infrastructure, or the cost of all of the security people and the admins that implement their policies.

            Now compare that with the

        • This is what levels of security above C and OSes like Trusted Solaris were all about. Not about being unhackable, but about it being impossible to copy data from a higher security container to a lower.

          I consider that a Good Thing (tm).

          Granted, someone with high enough security clearance and rights to declare his USB drive "secure" could have gotten past that as well, but the average PHB wannabie corporate ladder climber could not do anything about it.

          They wouldn't have to. That's why they have IT depart

        • by aaronl (43811)
          DRM has absolutely nothing to do with security. The Vista DRM is all about Microsoft telling you what you're allowed to do with your OS, and RIAA/MPAA telling you what you're allowed to do with your content.

          Personally, I don't want TPM. It allows my computer to be uniquely identified down to the hardware. It's the same reason that people were so upset over the privacy implications of the Pentium III CPU serial number. The whole DRM nonsense that is destroying technology today is ridiculous. It's like y
        • by Rich0 (548339)
          This also means that if Linux is to compete for the desktop it will have to have the same features regardless of Stallmans desires. This is one thing on which Linus is absolutely right. The usage of DRM by pigopolists is a current fad which is only a minor fraction of its actual use. The real use of DRM is to enforce a security policy on data across an enterprise.

          Easy solution to this - pass a law that states that anybody who buys or rents hardware is required to be given a human-readable list of all keys
    • Re:Why? (Score:2, Interesting)

      by plankrwf (929870)
      How else to spread sensitive information?
      At least this way, no president needs to leak [nysun.com] anything himself
    • by mcvos (645701)

      Why the hell is the military storing sensitive data on USB drives, which are prone to both theft and failure?

      More importantly, why is the sensitive data not encrypted? You'd expect that people handling sensitive information receive some sort of training in how to handle that inofmration.

      Alas, similar things have been happening in the Netherlands during the last couple of years: a public prosecutor throwing his PC with unencrypted info about criminal cases in the trash, a USB stick with sensitive mili

    • I had the opportunity to visit a Canadian Government IT tradeshow given in Ottawa. One of the firms marketing their devices specialized in USB/Portal drives which had finger print scanners built-in. According to the salesman these things were selling like hotcakes, especially in the US military.

      As mentioned before, they tend to be used for things like sneaker nets, where bandwidth requirements of the data inside (G2/Int) would simply bog down the communications network. This is especially critical yo
    • Why write on paper rather than on stone blocks? Because it's cheaper and portable! Seriously, some actual use of USB drives shows how handy they are for storing data in a place where electricity is unreliable and laptops are prone to failure with a repair time of weeks or months. How to protect them from theft is a real problem, of course.

      But a $10 USB drive can hold a soldier's email from home, some music to share with their friends, their transfer orders, a map of the local area's targets for the next day
  • why/when. (Score:5, Insightful)

    by rew (6140) <r.e.wolff@BitWizard.nl> on Thursday April 13, 2006 @05:29AM (#15119586) Homepage
    Why and when are rules ignored?

    Here in the Netherlands, there has been a series of cases where sensitive information has leaked through stolen/lost hardware, and every time some official was breaking the rules.

    The rules were unworkable: DO NOT TAKE YOUR WORK HOME.

    So, no reading of a report on the train, no after-dinner report writing. Nothing. Ambitious people break the rules to perform better. So they take stuff home anyway. As long as the hardware doesn't get stolen, nothing is noticed. Big publicity when sensitive information makes it to the press.

    But if they were to start policing the policy, a lot of the ambitious people would eventually give in to the rules, and simply watch tv after dinner, and read the newspaper on the train. Results? Productivity drop.
    • Re:why/when. (Score:3, Interesting)

      by plankrwf (929870)
      This is a known problem indeed. (Someone modd parent up, I haven't gotten modpoints right now).
      I remember a case at a client in which we had to mail a very sensitive, very important document very quickly.
      Turned out we couldn't mail it using the clients own mailsystem, as... it didn't allow Word-attachments (or Zip or ...) to be sent along...
      In the end we ended up taking the document on a floppy (yes, this was some years ago), to a 'learning centre' computer which was attached to the internet, and w
      • Re:why/when. (Score:2, Interesting)

        by cocotoni (594328)
        I don't want to sound like I come from that Monty Python sketch, but that is nothing.

        Long time ago we had to transfer some sensitive data between two military bases. The data was saved to a floppy (8" floppy at that), put in sealed envelope, in the locked suitcase chained to the carriers wrist, into APC, to the airport, helicopter, APC, and straight to us. The whole nine yards.

        And then we found that the caporal on the other end found it bizzare that there was something shuffling in the envelope, and to secu
        • And then we found that the corporal on the other end found it bizzare that there was something shuffling in the envelope, and to secure it better he put a couple of staples through the envelope. And through the disk.

          Security thru immobilization!
      • Not to second guess you so far after the fact, but did you try sending it by simply giving it a .txt extention? Even today, content filtering is rarely done and file type filtering is mostly done using extentions.
    • Similarly we've had several reports in the press about MI5/6 agents/staff leaving their laptops in Taxi's - whenever data is portable it is at risk of loss or theft...
    • Re:why/when. (Score:5, Insightful)

      by Darren.Moffat (24713) on Thursday April 13, 2006 @06:12AM (#15119664)
      "Results? Productivity drop."

      I personally disagree, in my experience you actually in the longer term get a productivity increase. Why ? because the people are more relaxed and more refreshed with a balanced lifestyle that isn't all "work work work". People who constantly take work home are marters to the job or just really bad at planning.
      • Absolutely correct, but in some jobs productivity is measured by the number of hours you put into it. Many professions like Lawyering and even Doctoring are billed by the hour, not by acomplishments.
      • Productivity after hours is a function of what type of work you are doing. If you spend most of the day being distracted every 30 minutes by a phone call that must be answered, it is quite hard to write a report-- getting two hours undisturbed on the train or after dinner can be a significant boost.

        BUT, if the extra time is constrained by the same factors as the normal day, there will be no productivity gain.

        The same is true for manual/trade labor - you only get a week's worth of work out of people, no mat
    • Reminds me of a friend of mine who had to support an application for the the Israeli military. Over the phone they finally realised that he needed to be at the machine to fix it. Took months getting approval.

      When he finally got approved he was allowed enter as far some guard post, at which point another guy came out and talked to him through a fence. He never once saw the machine.

    • Well, what will cause more serious drop to the productivity of the government, no afterhours for the ambitious or a gas bomb killing off 98% of the government members when the security information is leaked and the bomb hidden in the parliament building, thanks to some ambitious security officer's laptop stolen?

      I bet this all could be avoided by enforcing proper use of strong encryption. Ok, the hardware got stolen but the thief won't break the cipher. No biggie. Otherwise, it could be easily considered tre
      • "or a gas bomb killing off 98% of the government members when the security information is leaked and the bomb hidden in the parliament building"

        OR the combined melodrama of a cowering public that believes that 98% of government members are going to be within fatal range of a gas bomb at one time, a scenario that would obviously go undetected if it weren't for data being stolen...

        No don't tell me, I wanna guess

        • Some inaugurational parliament gathering, these aren't too secret and most of country officials attend these. And if several smaller bombs go off simultaneously in all access corridors to the gathering hall, simply allowing the gas to seep inside while all the exit routes are cut off (by the gas), all the people inside will get poisoned.
          That's why I didn't talk about a conventional bomb, as it would require huge amount of explosives. But several smaller containers with mustard gas in the air vents of all th
    • by Fred_A (10934)
      Why is everybody whining when this is obviously a great win for western values? The afghans have gotten from raising sheep to stealing and sellinf government property in only a few years ! They are now obviously a fully fledged western capitalistic society.
    • At the beginning of my law firm intership last summer, recruits were told not to discuss work out in public. Not ever. Not on the elevators, not around the streets of Manhattan, not the shuttle flight between Boston (home office) and New York (the branch office). There are lots of lawyers and other folks out there who can trade on that information because some of our work involved mergers. I thought this was hype until some guy on the elevator from another firm was discussing a case that sounded familiar. I
    • Re:why/when. (Score:4, Interesting)

      by Bob3141592 (225638) on Thursday April 13, 2006 @09:30AM (#15120325) Homepage
      So, no reading of a report on the train, no after-dinner report writing. Nothing. Ambitious people break the rules to perform better. So they take stuff home anyway. As long as the hardware doesn't get stolen, nothing is noticed. Big publicity when sensitive information makes it to the press.

      If thisis only about company sensitive information, then fine. But if you're talking about military secret or confidential, then the rules are a bit different. You can't read a classified document on the way home on the train, as other people around you could see it. And unless your home was certified as a secure site, it would be illegal to have the docement there. You'd also need special paperwork to take the document out of it's original building.

      I have to ask who is doing this stealing. If it's by uncleared civilians, then what are they doing in proximity to classified material? Otherwise the stealing must be done by cleared personnel, which is a whole different story of criminal intent. Something doesn't add up here.
      • Re:why/when. (Score:3, Interesting)

        by rahrens (939941)
        I have the same feeling about this. The military is absolutely anal about classified information. Like another poster mentioned, PCs used for classified info have HDs in carriers so they can be removed from the PC for storage when not in use, in addition such PCs are required to have the usb ports disabled through group security policy, if not at the registry level, as well as floppies. They are not allowed to have cd or dvd burners, read only for classified PCs. Such PCs are not allowed to have network
  • by Xiph (723935) on Thursday April 13, 2006 @05:42AM (#15119608)
    The stuff that's stolen is probably not aimed getting highly sensitive data, but at getting a bit of cash from selling the hardware:
    "He reportedly said he was selling the items for their value as hardware alone."
    that lack of organization also suggest the problem isn't huge, a claim also supported by
    "Coalition officials regularly survey bazaars across Afghanistan for the presence of contraband materials, but thus far have not uncovered sensitive or classified items"

    So it's not large scale, hyperterrorsquads selling supersensitive secret soldier material to themselves. but rather small bits of pieces, that together will probably seem as just that. small bits of pieces. It is however always unfortunate that personal and classified information is handled carelessly, but if we can't even handle this properly at home, why should it be any better in Afghanistan.
    I'll give the answer right here: First, get better at handling information security at home, before you start using the technology abroad.
    Don't give sensitive material to people who haven't been screened on how they handled it (I thought this was already a goal the tried to achieve)
  • by rchatterjee (211000) on Thursday April 13, 2006 @05:49AM (#15119622) Homepage
    The BBC article is based on a LA Times article which contains more details like the fact that on the thumb drives they found a list of soldier's SSNs which which they were able to track down the soldier's home addresses.

    Original LA Times article [latimes.com]
    • SSNs (Score:2, Insightful)

      by Anonymous Coward
      SSN should stand for Supposedly Secret Number.

      Everybody knows your SSN. Every employer you've had, every school you've been to, everybody you've applied for credit from, every company that's provided a service like long distance to you. Also, every firm any of those organizations have contracted out their data handling to.

      Fewer people know what shoe size you wear.
      • Indeed.. which used to make me wonder why people are supposedly so protective of their social security number. But from reading plenty of Slashdot (not sure that's healthy, I know) it seems as though having a SSN is like having the master key to all information you could ever possibly want on a person, without further authentication required.

        So it seems to me that people knowing your SSN isn't bad per se, it's the fact that with -just- the SSN, they can do things they really shouldn't be able to.

        It's like
        • The biggest supermarket chain in the UK (Tesco) implmented Chip and pin, did the whole security bit.

          *except* on their 'self service' tills. With these you just swipe your card and walk out - no pin *or* signature required.

          So if you steal a card in the UK, you know where to buy your stuff from (and they sell a fair bit of high value stuff like TVs and Mobile Phones as well).
      • A computer drive sold openly Wednesday at a bazaar outside the U.S. air base here holds what appears to be a trove of potentially sensitive American intelligence data, including the names, photographs and telephone numbers of Afghan spies informing on the Taliban and Al Qaeda.


        It's a good thing those foreigners can't read English. Looks like we dodged a bullet on this one.
        • Even though it's Interesting, this is a perfect example of the lack of reguard the Media has for national security. I'm glad they found out about the thumb drives being stolen. It's a major problem and definately needs to be fixed. However, it draws attenion to it before the military fixed the problem. This gives any Terrorist not aware that this is going on a heads up, here's cheep classified info. I don't have a problem with them reporting on it, but wait untill the hole in security has been fixed. Th
          • Seeing as how the market in question is next door to the base, while the terrorist headquarters is over fifteen minutes away by bus, I think the military has a fair head start to rectify the matter. Also, don't you think that when reporters interviewed/questioned the military about this breach, that might have tipped them off that there was a problem?

            Anyway, you're basically making the security thru obscurity argument. If that model doesn't work for computer security, why should it work for . . .uh . . .com
    • Poor guys... Now their addresses are in the hands of the entrepreneurs in Kabul... they're going to be getting tons of junk mail for "Habib's Roof and Tile" and "Afghan National Platinum MasterCard"... :(
  • by jbenwell (318892) on Thursday April 13, 2006 @06:37AM (#15119713)
    Good points above, but there are a couple of things that I would like to know:

    1. How big are the drives? I find that my 256MB one fills up all the time. If these are 512MB or more, I may want one.

    2. How much? I can get a (new) 1GB drive at Costo for $60 (Canadian), so I'd hope these (used) ones are going for less then that.
  • by Rogerborg (306625) on Thursday April 13, 2006 @07:02AM (#15119748) Homepage
    Mission accomplished!
  • by Errtu76 (776778) on Thursday April 13, 2006 @07:20AM (#15119772) Journal
    Hm. Invading a country. Letting the invaded people work for you at your base with your stuff. And now there's stuff missing you say? Really? Who would've thought ....
  • In situations like this you have to remember that things are rarely stolen, they rarely dissapear, and rarely get disposed of properly.

    So there's G.I. John out in Iraq on almost basic army salary, and poor Mohammed running his market stall and a thriving economy for small items (I've even heard of trucks just 'going missing', then ending up miles away carting opium/hashish/people around the country).

    G.I. John can't sell this stuff directly because he'd get his ass kicked by sarge, but once it gets passed o
  • This is all I could get off it though.

    ---
    Date: Tue, 12 2003 21:54:35
    From: DiamondDonny
    To: George
    Subject: too easy?

    dude - go to google. Type in : weapons of mass destruction.
    Dont hit search tho press the I'm feeling lucky button.

    Date: Tue, 12 2003 22:03:15
    From: George
    To: DiamondDonny
    Subject: RE: too easy?

    > dude - go to google. Type in : weapons of mass destruction.
    > Dont hit search tho press the I'm feeling lucky button.

    wtf? Why didn't we think of using google for this before?
  • We just assume the information is some military secret. There is a distict possibility that the information on those drives is nothing more than family pictures or some other relatively mundane piece of information. I have friends in the FBI who have thumb drives and I just assume that the information on them is classified, but in truth, I know that it is probably a collection of pictures of them at the local bar or on vacation that they are toting to the local photo lab for processing. Nothing like a go
    • We just assume the information is some military secret. There is a distict possibility that the information on those drives is nothing more than family pictures or some other relatively mundane piece of information.

      You know what they say about "ASS U ME", right?

      Try reading the LA Times article. It goes into specific details about what was on the drives. Also read the Slate article (linked above).

      • If the "secrets" were as big as the press intended them to be, we wouldn't have known anything about the contents, good or bad. 1) The LA Times is not an authority on much of anything except the spin that they put on the 2nd hand information that they gather. 2) Sensationalizing the contents of the disks (corrupt Afghani officials) doesn't make the information terribly sensitive.

        It a war torn region like Afghanistan, it is no secret who is corrupt in the government, and it's no secret where military strike
  • I have your military secrets right here! It's yours for only 3 easy payments of 19.95?! That's right only 19.95! And if you act now before you finish reading this post, we'll throw in keys to the pentagon, absolutely FREE!!!! *NY residents must pay sales tax. Offer only good in the continent u.s.
  • by slapout (93640)
    "Pssst...hey you....yeah you...come here."

    "What?"

    "Would you like to buy a usb drive?"

    "No, leave me along."

    "Wait, buddy. See that US base over there?"

    "Yeah, so? This usb drive came from that base."

    "Really?"

    "Yes. Contains important US government data."

    "I'll take it!!"

    ----

    Takes drive home to find that it contains:

    Three love letters.
    One Word Doc. (A memo requestion vacation time.)
    And a copy of solitaire.exe.

Mystics always hope that science will some day overtake them. -- Booth Tarkington

Working...