Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Somebody Finally Gets It! (Score 5, Insightful) 52

Good for him! Most DR exercises I've seen are planned weeks, if not months in advance. They are more of a scheduled fail-over to a redundant site and not an actual disaster recovery test.

In the event of an actual disaster, there would be no recovery.

I'm heartened to see SOMEONE does it right.

Comment Re:Employees != Elected/Appointed Officials (Score 1) 223

Appointed Officials are required to comply with FISMA at the very least, which means annual Security & Privacy Awareness Training.

As the person responsible for overseeing this in a Federal Executive Branch Agency, I can tell you first hand that they are required to take the training and, if they don't complete it, will lose access to the Agency IT network.

Been there, pulled the plug myself on a couple. Most know they're required and just take the training without any issues at all.

I can't speak to harassment as that is a totally different arena.

If a Senate-appointed or elected official can't pass a security background check to get clearance, they don't get clearance. It seriously impacts their job and, in the couple of cases I've seen, means they have to delegate that work down a rung or two in the ladder to a Deputy.

Not being able to get a security clearance for good cause, such as ties to a criminal enterprise or foreign government, and not something pedestrian like "your credit sucks", is usually a showstopper for Congressional Appointees. At that point they usually withdraw or resign for "personal reasons".

Comment Re:Who was sending her the emails though... (Score 1) 223

It would have been clintonh@state.gov. Because Gov't e-mail addresses are easily guessable, many appointed heads of Agencies have multiple different e-mail addresses. The one that follows Agency guidelines on naming -- which is a giant cesspool of spam and rants from anyone who can guess the e-mail scheme -- and one that is used to get actual work done.

And honestly, most of the people in State were probably using Outlook, which just hid it behind the simple name of "Hillary Clinton" and didn't display the actual e-mail address.

Comment Re:Clinton should be in jail!!! (Score 1) 223

To determine if it was a criminal offense.

The FBI doesn't investigate "crimes", they investigate incidents to see if they maybe were crimes.

It isn't a crime until there is a criminal conviction. If you shoot someone, the police will investigate. If their investigation determines that the evidence points to justifiable homicide, then *no crime has been committed*.

Unfortunately, that example will make more sense if you happen to be black.

Comment Re: Clinton should be in jail!!! (Score 5, Insightful) 223

The whole "I don't remember getting a briefing" is such colossal bullshit. Those briefings are required by law *annually*, not just once. And she would have gotten a separate briefing when she got her clearance, and any time it was upgraded.

She understands the difference. She thinks she is above all that. Rules, like taxes, are for little people.

Comment Re: Clinton should be in jail!!! (Score 3, Interesting) 223

She didn't tell any lies about the server. She didn't know details any more than a major corporation CEO knows what actual physical server their mail runs on.

She has enough plausible deniability and can answer with enough vagueness to not be chargeable.

"That is what the people who run the thing told me."

In short, she had no real first-hand knowledge of the server setup other than it was in her basement and handled her e-mail. The rest is typical VIP know nothing blather.

Comment Re:Clinton should be in jail!!! (Score 4, Informative) 223

Because at the time she did this is was against State Department internal regulations, but not a criminal offense.

You only put people in jail for criminal offenses that have jail as punishment codified in the law, and even then jail is usually only one of many options available as punishment.

Comment Re:Too secure for insecure? (Score 1) 569

The problem with this argument is the FBI's report does not say it was only a sentence or two. It says there were thousands of classified emails, some of which were entire classified documents, markings and all.

No, it didn't. At least Comey's summary says nothing of the sort.


"Eight of those chains contained information that was Top Secret at the time they were sent; 36 chains contained Secret information at the time; and eight contained Confidential information, which is the lowest level of classification. Separate from those, about 2,000 additional e-mails were âoeup-classifiedâ to make them Confidential; the information in those had not been classified at the time the e-mails were sent."


"With respect to the thousands of e-mails we found that were not among those produced to State, agencies have concluded that three of those were classified at the time they were sent or received, one at the Secret level and two at the Confidential level. There were no additional Top Secret e-mails found. Finally, none of those we found have since been âoeup-classified.â


"Separately, it is important to say something about the marking of classified information. Only a very small number of the e-mails containing classified information bore markings indicating the presence of classified information."

So flat out, unless you are in possession of a different report that indicates Comey made up the summary in whole cloth, you're being dishonest in your claims.

An insightful read: http://www.politico.com/magazine/story/2016/03/the-forgotten-1957-trial-that-explains-our-countrys-bizarre-whistleblower-laws-213771

Comment Re:Too secure for insecure? (Score 2) 569

There are "little people" currently in prison for negligent handling of classified. Right now. Actually in prison.

There are also several that aren't. Administrative punishments are common, depending on the material in question, and the circumstances. In some cases, absolutely nothing was done.

For example, all of the people who accessed the early Wikileaks stuff and those people who accessed the Guardian articles that contained the Snowden material. There was an entire PR campaign directed at Executive Branch Agencies reminding people that "until officially declassified, just because it is published in public doesn't mean you can read it".

I personally contacted DHS regarding multiple "classified spills" surrounding the Wikileaks material being accessed on non-Classified systems and sent around in e-mail. Their answer? "Delete it and remind people not to do that. No, you don't have to destroy you entire MS Exchange storage array."

Under your criteria, hundreds of people would have been put in jail. They weren't and some of that Snowden stuff was SCI/Code word.

The Wikileaks stuff in 2010 was Bradley Manning's leak of, mostly, diplomatic cables -- exactly the type of stuff Clinton was dealing with -- except Clinton's was indirect reference (e-mail about) not full cables. In other words, de minimis.

According to your gross misunderstanding of our classification system, what crime did Petraeus commit? He had a clearance, and his girlfriend had a clearance. If "had a clearance" is good enough to excuse Clinton, then why was it not good enough to excuse Patraeus?

You're baiting him. You know the difference, which is Patraeus committed a conscious, direct act in knowingly and intentionally giving classified material to a person who was not authorized to have it. Clearance or not, she didn't have the necessary "need to know".

He also explicitly and directly lied to the FBI investigators by flat out denying he did it. Hillary has been very indirect and there is no indication she every did ANYTHING remotely similar to Patraeus.

There is a significant difference between "here is my notebook loaded with TS/SCI material that you shouldn't see" and, to the FBI, "never happened"; and "received or sent e-mail that may have contained a sentence or two copy-pasted from (95%) Confidential material".

Comment Re:OK, so how did it happen? (Score 1) 146

Did you watch Citizenfour? There were a couple scenes in there, IIRC, where comments were made about a "second leaker". I believe there were also mentions in some of the Guardian articles as well. Not a lot in either, but definite indications the Snowden was not the only one.

I was wondering what happened to #2...

Comment Re:Why isn't symmetric crypto threatened by quantu (Score 1) 55

It has been a while since I've dug thru the DoC EAR, but from what I remember -- and what I seem to glean from digging thru your link to the Fed Reg -- is that most of this applies only if you're using proprietary encryption. The use of open source algorithms where you provide the relevant source code, such as using AES, Blowfish, or TwoFish, is an exemption.

To be clear, I'm talking about mass market stuff which gets the MMKT designation, nor crypto gear primarily sold to foreign governments.

If using only the published, open source stuff for crypto, then the exporter has only to file the paperwork. The 30-day delay was removed, and there is no real "review request", the paperwork is just on file.

RSA fits the bill just fine, and there is no restriction that I can find for using ginormous keys -- 4,096 bits and beyond.

Feel free to use Elliptic Curve instead of RSA, avoiding Dual EC DRBG (obviously) and the NIST recommended curves if you're paranoid.

I understand that exporting certain hardware requires paperwork, but I'm firmly in the camp of thinking that states "proprietary encryption should be avoided at all costs".

Slashdot Top Deals

"I have just one word for you, my boy...plastics." - from "The Graduate"