56 comments

[ 2.6 ms ] story [ 108 ms ] thread
(comment deleted)
Why is this a bigger problem that just "deploy new encryption keys and revoke the old ones" If that is a big problem, then focus on that because keys can leak in any number of ways and it's something you need to be able to handle. I'd be surprised if they are not routinely rotated fairly frequently regardless.
Radio has a lot more to it than just keys. For example, frequency hopping is a big thing, and which frequencies it jumps between, when, and why (i.e. as some sort of anti jamming strategy) are all important details which could be established by inspecting the equipment.

That said, the mention of the Motorola programming software does make this sound more like a base security/policing problem than actual operational infrastructure.

Surely frequency hopping patterns is tied to the key and not hard coded? That would be pretty stupid.. but what do I know.
Wouldnt you just have another key as a seed for the hopping?
I don’t understand how this is security. Wouldn’t an adversary just listen on all channels and pick up the rest of the communication on the newly detected frequency?
Frequency hopping is actually not considered a secure communication method in military circles, nor is it designed to be. Frequency hopping is designed to provide robust communication during electronic warfare scenarios (jamming).
Military infrastructure isn't always as well-engineered as it should be all the time. It can be very costly and time consuming to deploy new encryption keys, especially for technologies like radios. It's not as simple as deploying a configuration file or running `ssh-keygen` and publishing a few artifacts. Many devices need to be rekeyed by hand, which can be labor intensive depending on the size of the inventory. Additionally, sometimes new hardware needs to be hand-delivered to the appropriate organizations for keys to function.
You're assuming OTA updates are available for legacy hardware.
> he equipment allegedly taken by the engineer cost nearly $90,000.

Do you know the Department of Defence has never passed a audit?

> officials found that the department couldn’t account for about 61 percent of its assets.

> McCord said the department has made progress toward a “clean” audit in the past year, but later added “we failed to get an ‘A.’...I would not say that we flunked.

Good to know that by US government standards, a 61% is an acceptable passing grade...

They couldn't account for 61 percent, so their score would be a 39%.
Fortunately, I maintained a similar passing grade in maths/reading comprehension...
They would make more progress if we only gave them the money they can account for.
Has the ever been another agency where billions going 'missing' is tolerated?
Things like the SR-71 and B-2 development programs are off the higher level books.

Due to the compartmentalized nature of some of the programs (with good reason), it’s infeasible the DoD would ever pass a traditional audit.

Much like the CIA intentionally obfuscates funding for 3rd parties.

And yet other countries in the free world seem to manage this problem just fine…
That's because they don't have a government in a government in a government.... 127 layers deep. More like 2-3.
Because the US provides the SR-71s and B-2s for those countries.
Bingo. I can’t think of any other EU/NATO/FVEY country that actually does development of defence tech on the scale the US does.
That doesn't mean the US gov can't find auditors with proper security clearance to account for those black budgets.
You’re missing the “compartmentalized” nature of TS/SCI projects. You would need many, many auditors or the paperwork would be enormous to be cleared for each one.

Yes it’s technically possible, but the current model doesn’t support moving between compartments easily.

Sure, but the comment I was responding to referenced auditing the DoD.

This is a whole different can of worms :)

What's odd is that at the lower levels people will absolutely freak out if a computer monitor (~$300?) can't be located. I guess it's not small items like that that add up to the billions missing, it's large/expensive things that are missing.
When I was at about 20, the comptroller at my employer told me that you can make mistakes on big important things and people may not notice, but errors in petty cash will always be noticed.
Granted, billions missing could amount to a fraction of one percent. And yes programs like Medicare have big fraud problems.
Medicare isn't losing most of that money to their own administrators out of their back door; it's being taken by doctors, users.
(comment deleted)
And likewise, the defense department is losing money primarily on overpriced contracts, not DoD personnel wiring money to their own bank accounts.
(comment deleted)
No, they get it on the back end in the form of (sometimes obfuscated) kickbacks.
Overpriced contracts sounds like something easily accounted for. This is stuff that's literally 'missing' during audits by teams of professional accountants.
The whole point of war and defense narratives is to make people afraid so you can override every precaution and appropriate and dissipate resources freely. That's the logic behind DoD mega spending, 'war on drugs', war on terror' narratives, right wing moral panics / culture wars populism, and organized crime protection rackets.

Make people afraid, they will give you anything to make the threat disappear. Including their freedom and dignity. There is no single entity involved in this game that is not shady and corrupt to its core.

The article presented no evidence of other countries getting access to that data. Just a 48yo American engineer who allegedly shouldn't have had access. Of course, someone could've snooped on his home network, I guess.
The article said that he was selling radio equipment. I’m sure all of the buyers will be getting contacted and investigated to ascertain if foreign buyers were involved.
Many 'military' radios are commercial or have nostalgic value. The article is short on details, and given the spottiness of the records of this unit (obvious they aren't tracking property as required by DoD policy considering this was allowed to occur) it's entirely possible this guy just owns DRMO'ed equipment himself he buys/sells. Take that out of the mix, and the rest of the 'evidence' point to this being an overworked sysadmin/engineer who takes his work home with him. It's a common occurrence in every workplace even the DoD; many of the NSA leaks is from individuals trying to work on their personal computers at home.
"Just a 48yo American engineer who allegedly shouldn't have had access"

We don't know that at all.

Absence of evidence is not evidence of absence.

This is my favorite part of the article:

> Installer files which were recovered in the search opened with a “CONFIDENTIAL RESTRICTED” pop-up, according to Forbes.

Woah woah woah. Are you saying this software said it's confidential? Well let me tell you something about this comment. This comment is confidential restricted!

Marking systems and documents is a critical part of security.

It makes sure that you can prove that everyone is put on notice that misuse is subject to extreme punishment. This helps prevent accidental disclosure (Oh, I didn't think confidentiality applied to this), and it helps prove the case should anyone violate the rules.

Yeah I mean compared to having private military keys, this was a funny tack on.
I read a very confidential dossier on my last playthrough of Goldeneye 007 on N64.
isn't the security benefit from people genuinely not being confused and making accidental disclosures? You phrased it more focused on penalties applied after a failure which to my novice understanding is too late (and ineffective anyway).
Absolutely one reason is why people follow confidentiality rules is fear of punishment.

I mentioned both:

- It prevents people from not knowing something is sensitive and mishandling information

- It prevents people from claiming that they didn't know something was sensitive after mishandling information

CONFIDENTIAL is one of the collateral security levels. It goes UNCLASSIFIED (this data can be also additionally marked CUI/FOUO, for official use only), CONFIDENTIAL, SECRET, and TOP SECRET. S and TS have compartments which further gate access to information.

The software being marked CONFIDENTIAL means that it is classified software, the exposure of which can cause damage to national security.

While true, confidential restricted is not a US classification marking. It sounds more like the language on a clickwrap license installer, like what you would get for the radio programming software.

This sounds like not much. It would allow an eavesdropper to overhear LEO-type conversations or basic operational discussion but unlikely to be anything actual classified.

I have no idea of course. I don't even know where Arnold AFB is!

Interesting timing with the tetra protocol vuln disclosure.
I was about to post the exact same verbatim comment. So, yes; double interesting timing..
If timing like this amuses you, consider the timeline of azuread's hack and MS renaming it to "entra id" lol
Big fat nothing-burger.

Except for the sloppy enthusiast contractor too deep in the criminal tendencies end of the pool... his life probably just got rather difficult.

Having recently rewatched Sneakers I'm struck by how much what the article describes of his home overlaps with characters like Mother(Akroyd).

> The warrant also recounted how witnesses and co-workers informed investigators that the engineer had allegedly “sold radios and radio equipment, worked odd hours, was arrogant, frequently lied, displayed inappropriate workplace behavior and sexual harassment, had financial problems, and possessed [Arnold air force base land mobile radio] equipment”.

> It added that a colleague had reported him twice due to “insider threat indicators” as well as unauthorized possession of air force equipment, according to investigators.

There isn't a timeline provided, so hopefully those insider threat reports were relatively recent?