Results 1 to 7 of 7

Thread: Pentagon couldn't black out classified information!

  1. #1
    In And Above Man Black Cluster's Avatar
    Join Date
    Feb 2005

    Pentagon couldn't black out classified information!

    This made my laugh a lot. Imagine the Pentagon has fallen in the arena of the forgotten security pitfalls, they blacked out the classified information in a very primeval and defective manner ...... every one could reveal the so-called classified information to the public ....

    Where was IT? On Saturday, April 30, the Pentagon released an unclassified version of its report on a March 4 incident in Baghdad, in which an Italian intelligence agent, Nicola Calipari, was shot and killed by U.S. troops at a checkpoint. The unclassified document was an Adobe Acrobat file, with sections containing classified information blacked out. But for anyone who downloaded the document, discovering what was behind that electronic black ink was trivial. If fact, it was practically unavoidable. And by Monday, that classified information was everywhere.
    So where in blazes was IT?

    Protecting confidential data in electronic form is certainly part of IT's job. The software that military censors used to black out those documents came from IT. IT should have made sure everything worked as planned. Instead, sensitive information such as military rules of engagement became public knowledge.

    Let's be clear: Breaking through the black ink over that classified text didn't require hacking through encryption or using some special tool. If a reporter simply opened the file using the standard version of Acrobat Reader, then cut and pasted the text into any word processor, the blacked-out text would reappear.

    And reporters don't like retyping if they can simply cut and paste. Besides, cutting and pasting guaranteed that the report would be quoted accurately. So of course many of them cut and pasted and saw the classified information; they'd have had to work hard to avoid it.

    And so did anyone else -- friend or foe -- who downloaded the report.

    So where was IT? Why didn't the military censors have the right tools to remove that classified information, not just cover it up? Why wasn't a standard process followed for confirming that the classified information was removed? Those are questions the Pentagon is asking now.

    They're questions people in corporate IT should be asking, too.

    How often do people in your company send out sensitive information, thinking it's not there because they can't see it? Every time they e-mail a Word document. Or an Excel spreadsheet, or PowerPoint presentation, or documents in any of a variety of other formats. Those users may have deleted that information from the visible document, but it might still be in the file.

    It can't always be made visible with a simple cut and paste. But it's there. And with a little effort by an unfriendly party, it can be seen.

    Maybe you knew that. But your users probably don't. So your company's salesmen, marketing people, lawyers and public relations reps may be revealing sales quotes, product plans, legal strategies and other information they don't intend to. Executives may be giving away business strategy or closely held financial data.

    Where is IT in all this? Protecting this stuff is what we do. We should be front and center, helping users to avoid leaking secrets. Sure, we also have to deal with worms and hackers and other threats. But we can't let users fall through security cracks -- especially when that's exactly what users are trying hard not to do.

    So talk to your users, especially the ones who send documents outside the organization. Explain the problem. Suggest work-arounds, such as converting documents to a different format and then back to the one they prefer. Listen to their objections. Work with them to find a practical way they can use to protect their confidential information.

    This time, IT isn't the users' enemy, enforcing security rules they don't like. We can be their ally, helping users protect information they don't want to make public.

    For once, we can stand shoulder to shoulder with users on the front lines of information security.

    Which is right where IT should be.
    \"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
    Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster

  2. #2
    Senior Member
    Join Date
    May 2003
    buahahahahhahaha thats awesome...although I feel bad for the guy who gets fired for not editing it properly.
    Everyone is going to die, I am just as good of a reason as any.


  3. #3
    Join Date
    Apr 2005
    That's a piece! The big difference between the electronic and the printed medium is that it is easier to obfuscate the latter whereas one needs to digitize the process for the former. The method applied to the electronic document smacks of either plain ignorance or laziness.

    But wait... the routine is supposed to be to create a "sanitized" version of the document for general public access. I wonder why they didn't do that when they in fact bothered to do the same on the Report on the Intelligence Capabilities of the US regarding WMDs.

    Oh, well...

    Si vis pacem, para bellum!

  4. #4
    Join Date
    May 2003
    Protecting confidential data in electronic form is certainly part of IT's job.
    No it isn't.

    Information Security is a lateral department to Information Technology, otherwise you have the auditor reporting to the audited (Dude where's my accountability?). Whoever wrote the article is quote ignorant themselves, the fact that they keep mentioning IT over and over and over makes it even more amusing.



  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington

    Protecting confidential data in electronic form is certainly part of IT's job.
    Yes, it is , but only insofar as it is used and stored internally, or is held or transmitted for third party use. IT Security is responsible for the security of the data, but Information Security is responsible for the content, and who should be authorised to access it. Information Security are the law makers and IT Security are the enforcement agents within, and only within their domain. The Press & PR Department is a totally different corporate silo.

    I believe that the issue here is data that are broadcast or published in any form In this particular case the information was obviously accessed by authorised personnel, so IT had done their job. The fact that these authorised persons subsequently screwed up by failing to sanitise the data they published is nothing to do with IT. If you do not accept this, then you must accept blame for every typo that a secretary makes? and responsibility for every classified manual and drawing that has been published in paper form?

    Information Security is a lateral department to Information Technology, otherwise you have the auditor reporting to the audited (Dude where's my accountability?)
    I would regard the relationship as diagonal rather than lateral, as IS cuts across IT but extends into the area of paper manuals, drawings and other media. IS is also responsible for the "needs to know" policy.

    In almost all cases the auditor DOES report to the audited and their primary accountability is to the audited, who PAY THEM for the service.

    There is also a potential element of third party accountability (liability) where the auditor supplies information that will knowingly be used by third parties.

  6. #6
    Join Date
    May 2003
    Well Nihil, I'm gonna have to disagree with you.

    Multi-level secure systems (like those designed and used by the government) utilize System Administrator, System Operator, and Information Security Officer roles. The idea here is to mirror the organizational structure, hence more and more organizations are creating CISO roles to go along with the traditional C-level roles. This puts Information security at a lateral level to Operations, IT, Finance, etc.

    In this instance, we the following sequence of events must have occured (and who was responsible)

    The document was created (Operations)
    The document was labeled "CLASSIFIED" (InfoSec)
    The document was flagged for disclosure (Operations)
    The document was edited for disclosure (Administration)
    The document editing was audited (InfoSec)
    The document actually edited (Operations)
    ... using software provided by IT
    The document was released (Administration)

    IT really tends to have a glorified view of itself.



    In almost all cases the auditor DOES report to the audited and their primary accountability is to the audited, who PAY THEM for the service.
    Typically in a supplemental manner to the existing auditor.

  7. #7
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    I don't know exactly who wears which hat, but someone sets policy
    regarding the censoring of documents, and likely someone else,
    presumably someone with specific technical knowledge, tests and
    verifies particular methods.

    If it was a paper document, he would have to test whether a certain
    brand of ink would safely black out the censored portions, or if they
    would have to be cut out physically from the paper.

    Likewise, he must test a procedure for electronic docs, and demonstrate
    that it works. Whether he is IT or IS I don't know. He's not really
    in charge of security over all, but in making sure that the method
    really works. He's a technician, not a policy maker.

    It's really surprising that this happened. The gov't has used PDFs for years.
    Maybe it's Adobes fault
    I came in to the world with nothing. I still have most of it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts