> The leaked Department of Defense email data spanned three terabytes (the equivalent of dozens of standard smartphones’ storage)
...or millions of emails.
One example (from TechCrunch):
> One of the exposed files included a completed SF-86 questionnaire, which are filled out by federal employees seeking a security clearance and contain highly sensitive personal and health information for vetting individuals before they are cleared to handle classified information. These personnel questionnaires contain a significant amount of background information on security clearance holders valuable to foreign adversaries.
I don’t work in tech so forgive the ignorance. How is the communication at the DoD (especially the SF-86) not encrypted and why it is sitting on an email server?
The actual SF-86 is filled out online. If it is on an email server then it probably means the person generated the PDF copy from the site for their records and emailed it to themselves.
It is encrypted, at rest. If this was taken from an active mail server, the mail server's software needs access to the unencrypted data to work, therefore that is moot.
As to why mail servers hold email? That's how they, namely IMAP or EAS, work. If the mail server didn't have the mail, and the authorized user wanted the mail, where is it meant to come from?
The more pertinent question is: Why was a DoD mail server connected to the public internet? The DoD have their own network.
Efforts to end-to-end encrypt e-mail have been disastrous, coming down to a combination of human factors and difficulty of coordination - but mostly, people want to be able to read their mail. Sometimes they want to read it from public terminals. Sometimes they lose their phone and still need it to be accessible. Often, e-mails are required to be unencrypted by the mail server for compliance purposes - Nearly all financial data has to be archived, and that's often the crown jewels you're trying to encrypt, anyway.
I don't know of a good oral history of PGP, but I suspect if you find one, it'll have the answers that you're looking for.
US DoD has CAC - Common Access Card (commonly called a "CAC Card", but that's as silly as a "PIN Number"). CACs have encryption keys and are used for signing and encrypting email. The data should have been transmitted and stored encrypted for something like an SF-86.
There is, and for a DoD employee to not have sent a document like an SF-86 encrypted indicates a failure to follow basic procedures. Every DoD employee (military and civilian) has an encryption key they can use, and are required to use, for things like PII and many others (which an SF-86 would definitely contain).
I ran the mail servers for the Defense Information Systems Agency at DISA.mil.
For unclassified systems, of course those are connected to the Internet. How else would you communicate with the rest of the world? And I filled out an SF-86 when I applied to be hired by them. There's nothing classified on an SF-86. No classified data was leaked when OPM was hit by Chinese hackers that stole all sorts of PII data for everyone who held a security clearance, including fingerprints and retina prints. Oh, and OPM was hit by the Chinese not once, but twice.
For classified systems, those are connected to the SIPRnet or other classified "internet". And those classified internets are typically shared with other governmental agencies, and not unique to DoD.
The only SF-86s that should be outside of eQIP are hardcopies printed by investigators and copies saved by the submitters who emailed them to themselves for some reason.
Of course, this is the Pentagon so there's probably dozens of ancient generals who don't know how to use a mouse who had an aide fill it out and email it to another aide to be put into eQIP.
edit: lol nevermind it's SOCOM, those meatheads can't be trusted to not write a thousand books spilling the (mostly embellished) details of every little thing they did in the military as soon as they get out in the hopes that Tatum Channing will play them in a movie or amazon series so this isn't a surprise.
"The official, who spoke on condition of anonymity, said some or all of the emails deemed to implicate “special access programs” related to U.S. drone strikes. Those who sent the emails were not involved in directing or approving the strikes, but responded to the fallout from them, the official said.
The information in the emails “was not obtained through a classified product, but is considered ‘per se’ classified” because it pertains to drones, the official added. The U.S. treats drone operations conducted by the CIA as classified, even though in a 2012 internet chat Presidential Barack Obama acknowledged U.S.-directed drone strikes in Pakistan."
If someone created a PDF of that article and attached it to an email and sent it to a US Government information system, by classification guide standards it is now a classified email.
In fact, this comment would be considered classified, as would yours.
The article you linked to seems to indicate that the emails were considered classified based on the assertions I just made.
The sentence "The United States of America has conducted drone strikes in Pakistan" was, and likely still is, top secret information protected by a special access program and email containing any sentence conveying that information in any form that is not properly marked and handled is a violation of security procedures.
It is impossible to know the context of what they are investigating without seeing the emails, and neither you nor I have seen them.
19 comments
[ 4.6 ms ] story [ 61.0 ms ] thread...or millions of emails.
One example (from TechCrunch):
> One of the exposed files included a completed SF-86 questionnaire, which are filled out by federal employees seeking a security clearance and contain highly sensitive personal and health information for vetting individuals before they are cleared to handle classified information. These personnel questionnaires contain a significant amount of background information on security clearance holders valuable to foreign adversaries.
Yikes.
As to why mail servers hold email? That's how they, namely IMAP or EAS, work. If the mail server didn't have the mail, and the authorized user wanted the mail, where is it meant to come from?
The more pertinent question is: Why was a DoD mail server connected to the public internet? The DoD have their own network.
I don't know of a good oral history of PGP, but I suspect if you find one, it'll have the answers that you're looking for.
For unclassified systems, of course those are connected to the Internet. How else would you communicate with the rest of the world? And I filled out an SF-86 when I applied to be hired by them. There's nothing classified on an SF-86. No classified data was leaked when OPM was hit by Chinese hackers that stole all sorts of PII data for everyone who held a security clearance, including fingerprints and retina prints. Oh, and OPM was hit by the Chinese not once, but twice.
For classified systems, those are connected to the SIPRnet or other classified "internet". And those classified internets are typically shared with other governmental agencies, and not unique to DoD.
Of course, this is the Pentagon so there's probably dozens of ancient generals who don't know how to use a mouse who had an aide fill it out and email it to another aide to be put into eQIP.
edit: lol nevermind it's SOCOM, those meatheads can't be trusted to not write a thousand books spilling the (mostly embellished) details of every little thing they did in the military as soon as they get out in the hopes that Tatum Channing will play them in a movie or amazon series so this isn't a surprise.
This isn't something they ever stop trying.
For example Hillary Clinton's leaked emails turned into 1980s style hysteria about "pizza-eating gay satanic pedophiles" running DC.
https://www.politico.com/story/2016/01/hillary-clinton-email...
"The official, who spoke on condition of anonymity, said some or all of the emails deemed to implicate “special access programs” related to U.S. drone strikes. Those who sent the emails were not involved in directing or approving the strikes, but responded to the fallout from them, the official said.
The information in the emails “was not obtained through a classified product, but is considered ‘per se’ classified” because it pertains to drones, the official added. The U.S. treats drone operations conducted by the CIA as classified, even though in a 2012 internet chat Presidential Barack Obama acknowledged U.S.-directed drone strikes in Pakistan."
In fact, this comment would be considered classified, as would yours.
The article you linked to seems to indicate that the emails were considered classified based on the assertions I just made.
The sentence "The United States of America has conducted drone strikes in Pakistan" was, and likely still is, top secret information protected by a special access program and email containing any sentence conveying that information in any form that is not properly marked and handled is a violation of security procedures.
It is impossible to know the context of what they are investigating without seeing the emails, and neither you nor I have seen them.