Devil's advocacy:

My father built the first network the Department of Energy ever ran. He did it because his job involved reading numbers off of Nixie tubes, and he determined that if he connected the output that fed the Nixie tubes to a serial port he could log the data without having to drive to his collectors and read them physically. That was... a while ago. A while ago in Los Alamos, NM, birthplace of the Atomic Bomb, which is a local call away from Santa Fe, NM, reactionary heart of the hippie-dippy anti-nuclear movement in the United States. So "hackers" and "computer security" are a thing I never wanted a part of but nonetheless grew up with.

My father occupies his own Private Idaho in one of the most intense computing environments in the world. He's airgapped, sandboxed and invulnerable. In order to get to his data you have to know what random port is open on his network for the random eight seconds of the random hour of the Friday you're concerned about because the rest of the time, there's no physical connection between him and the world. Even if you did that you'd have to be behind the firewall of the DOE's closed network, which while not impossible is more challenging than, say, AT&T's.

None of which really matters because his data is behind a couple locked doors and a security guard. If you can trick the security guard to let you in, you're a lockpick away from walking away with the hard drives. Fuck hacking. Let's spy.

Missed in all these discussions about vulnerabilities is the fact that every leak we know about was caused by a loose nut behind the wheel.

- How did our UCAV fleet get a virus? Fucking pilots installed Mafia Wars on them.

- How did Paris Hilton's Sidekick get hacked? By phishing T-mobile stores.

- How did the Fappening happen? Phishing.

- What is Edward Snowden on the run for? Stealing secrets he had access to, not hacking in to get them.

- What is Chelsea Manning in jail for? Leaking secrets she had access to, not hacking in to get them.

- How did we take out Iran's centrifuges? By giving the world a virus and waiting for someone to hand-carry it into Natanz.

The "loose nut behind the wheel" is so much more of a problem than actual computer security that the software vulnerabilities almost don't matter. Mark Bowden documents an Iranian attack on the Pentagon in Worm - someone literally loaded up a pillowcase full of jump drives with a virus and then threw handfuls out of a car window into the parking lot. It only takes one jackass to pick up a drive and go "cool! Free thumb drive! I wonder what's on it!" before suddenly the best software in the world might as well be Zynga.

Back in the glory days my dad had a couple layers of "gimme" data. He'd put sensitive-looking documents in a place that a semi-talented hacker could get to if they wanted on the assumption they'd leak it to the Santa Fe New Mexican (there were lots of attempted penetrations every week). Beyond that he had another directory of more sensitive-looking documents. The actual sensitive documents weren't on the network. The really sensitive stuff was paper.

Nobody ever got to the first layer. But that doesn't matter, because human factors matter more.

posted by empty: 1137 days ago