[Info-vax] Bradley Manning and OpenVMS

Bill Gunshannon bill at server3.cs.scranton.edu
Mon Dec 9 10:23:51 EST 2013 

In article <l81sgm$hqj$1 at dont-email.me>,
	Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP> writes:
> On 2013-12-08, Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP> wrote:
>> On 2013-12-08, DTL <didier.morandi at gmail.com> wrote:
>>> Hi all,
>>>
>>> Let's assume the system on which these diplomatic telegrams were stored was an OpenVMS system.
>>>
>>> How could the (Wiki)leak be detected?
>>>
>>> A Security ACL on the folder(s) access READ
>>> A Security ACL on his CD-ROM Drive access WRITE
>>> An alarm from both, gathered via a SIEM solution, giving the following alert:
>>>
>>> "A guy is burning a CD on his computer with a lot of sensitive data"
>>>
>>
>> Without mandatory access controls, he could have just used his administrator
>> privileges to turn them off before copying the files.
>>
>> The irony is that he managed to do this in the organisation which gave
>> us SELinux. What was that again about the cobbler's children ? :-)
>>
> 
> My mistake; I didn't pay enough attention to the specific leaker in the
> title (I've just been reading some stuff about Edward Snowden, hence
> the mistake).
> 
> However, the comments above do apply to Edward Snowden and the real
> security lapse with Bradley Manning was that the military didn't implement
> any document containment/isolation procedures so everyone got access
> to everything (even if they didn't need it).

Well, that's not really true, but there are places that make major
mistakes leading to this kind of fiasco. While most of the places
I worked did a very good job of compartmentalizing data and restricting
access as well as keeping records of who was accessing it, I also once
visited a site (on official business) where all of the network wall jacks
were active. even when not assigned to a machine.  And this was on both
the unclassified and classified network.  We found numerous personal
laptops using the the unclas network to access the INTERNET.  I have
no doubt tghe same was true of the classified network but users would
unplug from it upon finding there was nothing to connect to.

> 
> You have to fix that problem before you can implement any technical
> solutions (and BTW, those solutions are also available outside of VMS).

The weakest link in any security, today, as it has been in the past,
is still the people. 

bill

-- 
Bill Gunshannon          |  de-moc-ra-cy (di mok' ra see) n.  Three wolves
billg999 at cs.scranton.edu |  and a sheep voting on what's for dinner.
University of Scranton   |
Scranton, Pennsylvania   |         #include <std.disclaimer.h>

More information about the Info-vax mailing list