Posts by tom dial

Re: Can we ban Facebook etc altogether?

Why not simply make it illegal to do silly or stupid things? I see no reason to dictate that others not do things that are not inrinsically harmful (even if sometimes subject to exploitation by others) if they enjoy doing them.

Alcohol prohibition certainly worked out poorly where tried, and had the worst side effects where enforcement was most vigorous. The execrable US War on Drugs, over several decades, has been accompanied by astonishing violence and corruption in the US and other countries, and as well by consistent increase in variety and availability of illegal drugs at consistently decreasing retail prices, not to mention the enormous increase in potency of cannabis. Gambling restriction and regulation, with attendant public corruption, has not been all that much better. Prostitution is worthy of mention in the same context.

All these proscribed or restricted activities were harmful, sometimes disastrously so, to some of those who engaged in them, as well as to their families and, to an extent, their communities. Making them illegal did little to stop them and It is likely that much or most of the harm associated with them resulted from the fact of illegality and the associated enforcement activities. There is no earthly reason to suppose laws enforcing privacy, whether on Facebook, Google, or other present or future undertakings, will be any more successful or beneficial.

Re: How can they allow them access only for British citizens?

From the article it appears the subject is wiretaps, not spying. In the US, for bot citizens and foreigners legally within the US a warrant is required to (lawfully) conduct a wiretap, and that is a matter that involves both constitutional interpretation and statutory law. To make it more complex, what is reported to be under discussion may authority granted the President under treaties. While not analogous in a real sense, it somewhat resembles the treatment accorded Kim Dotcom in the Megaupload matter.

The US Constitution, laws, and treaties may grant the President authority to determine that UK safeguards are adequate, or they may not. Given that there are many laws and treaties, it may be uncertain. If the agreement is made, it is likely to be contested by an early target and may require possibly lengthy court proceedings to settle definitively.

Re: Thursday's lunch menu

I could have stated the point more clearly and succinctly.

It does not matter whether the email messages were marked classified before they arrived on the (almost certainly) illegal server or were recognized and classified during review preliminary to public release. No official records, classified or not, ever should have been on that server, which is known from various sources to have been configured and operated without much regard for security over much of its service life.

The fine print. As others have pointed out, anyone who removed classification markings from material before putting it in any of the emails committed a crime. Anyone who transferred material from a classified network or directed removal of classification markings from material before putting it into an email also committed a crime. Anyone who knowingly put sensitive but not yet classified material into one of the email messages certainly committed a serious error and violation of federal and State Department regulations, and may have committed a crime; if the inclusion was inadvertent or accidental, the only real difference is that the act might not be treated as criminal.

I do not know of instances in which publicly available material was classified upward and attempts made to retrieve it but would be extremely surprised if it had not happened; the number of activities and people generating properly classified data over the last 75 years is large enough that some accidental disclosure is almost certain.

The root cause, of course, was the server deployment and operation, along with the disrespect for law, regulations, and good management practice that accompanied it. As another poster noted but stated a bit differently, in intelligence matters it is important to know what your adversary knows, and dumping official correspondence to an insecure and apparently relatively unprotected environment certainly was a gift, whether or not any of them recognized it.

Re: Thursday's lunch menu

"Were the e-mails in question classified BEFORE or AFTER they ended up on the server?"

It really does not matter. The server was less fit than gmail, yahoo, or the local ISP's POP or IMAP serverfor storing ANY official documents. Moreover, we ought to be able to think government department or agency heads to take the initiative to prevent compromise of organization data rather than encourage or simply allow it to happen.

I also would fault the State Department CIO for inadequate oversight of an IT operation in which this was not found out, reported, taken up with the Secretary, and failing correction, with the Inspector General and Department of Justice.

Re: Spot the oxymoron

The original statement is correct, and also consistent with possible retroactive classification. The articles report that the email messages contained classified material, but those at the New York Times, Washington Post, and Associated Press feed do not state that it was classified retroactively. The closest to that was the statement quoted in the AP article that the source of the content was being investigated.

In a general sense, all official material is born classified and not to be released publicly without explicit department or agency approval (or made available because of vulnerabilities) . The classification that applies is dependent on the origin and type of data. It probably happens rarely, but there may well be instances in which publicly released material was classified (or had its classification upgraded) after the fact and efforts made to collect and destroy existing copies.

Removal of established classification information and copying information from a higher level to a lower without the associated classification marks certainly violate department or agency policy and instructions, and probably violate the law.

Re: Thursday's lunch menu

Indeed so. Everything of any significance has at least the status of "For Official Use Only." As I remember, however, nothing with a classification above Confidential may be stored on or accessed using an internet-accessible computer, and I think that includes remote VPN access using computers provided and maintained by the government.

Transferring material classified Secret or higher requires sneakernet use. If that happened in this case, it involved more than forwarding or careful copy-and-paste operations. Moreover, we are justified in expecting those officials who engage in email correspondence with the Secretary of State and her immediate staff to have the wit and will to recognize classification issues and refrain from sending sensitive material into environments where it cannot legally exist even if it is not (yet?) formally classified.

Whether the information in the withheld emails was classified when sent has not been reported as yet. If it was not, the particulars may only indicate incompetence;. If it was, and copied without the applicable classification marks it becomes a criminal matter implicating whoever prepared the email and possibly others, including the recipient. In the end, it does not matter whether Secretary Clinton sent or received them, since she was responsible for deployment and operation of the probably illegal and certainly insecure server where they were stored. As head of the Department of State she also had the responsibility to ensure that the department and its employees, including herself and her close advisers, complied with the law and with federal and department regulations.

This is not "funny" and never was. While her supporters may claim otherwise, it is perfectly reasonable to consider Secretary Clinton's conduct as Secretary of State in evaluating her fitness for nomination for any other office of public trust, especially including the presidency. OPM director Katherine Archuleta was forced from office, and OPM CIO Donna Seymour is being pressured to resign, for less. As bad as OPM's failures were, the evidence does not suggest that OPM management flouted the law and regulations as appears to be true of the State Department.

Re: Um... da fuq

As a present beneficiary of OPM paid credit and identity theft watching, I do not see that either of these events should be taken to excuse or downgrade the importance of the other.

Re: Spot the oxymoron

The emails are reported to contain classified material. That is consistent with the Clinton campaign claim that the messages were not classified, but almost certainly indicates either carelessness or malfeasance within the State Department that reaches the Secretary's office if not the Secretary herself.

Of course none of it would have been much of an issue if she had not, violating both law and regulation, deployed a private (not to say quite insecurely configured) server to conduct government business. Instead, she would have done email on State Department systems either in the office or remotely using a government provided VPN and examined classified information either in hard copy or using systems attached only to a secure network that did not interface with the public internet (and secret and above possibly in a physically secured and electromagnetically isolated interior room).

Every article I have seen, including this one, treats this much more lightly than it warrants, as do a large fraction of comments, both here and elsewhere.

Re: Ok with me

PGP and other well analyzed protocols should do that quite well if implemented correctly, and if any other parties to the communication are trustworthy.

Re: Privacy

For what it is worth, there are public repositories for PGP public keys - pgp.mit.edu is one - and others can be found by installing Enigmail. The model in which keys are obtained from a public key server is slightly discordant with the usual PGP model in which trust is assigned based on the signature of the key by others and the trust one has in the keys used for the signature. Used reasonably it can provide reasonable security, probably as good as a Comodo signed certificate. When you can meet a correspondent, generate and sign keys off network and exchange them in person, the trustworthiness of those keys is very good.

The point about unusual use of encryption is interesting and merits an upvote or two.

Re: The more, the merrier?

"... dilute the value of that metadata." It will not do that to a degree that makes much difference. It will slow queries somewhat and increase the storage requirement, but both effects are likely to be overcome by technological progress along with routine equipment replacement and upgrading.

Re: The more, the merrier?

It would be no more than a minor to moderate inconvenience if everyone so inclined to switched to consistent use of PGP or equivalent. The inconvenience would be limited to modest floor space and storage increases. SigInt agencies already are quite good at building, maintaining, and using very large databases. They would simply provide for the greater volume and go about their business largely unaffected. Facebook started sending PGP encrypted notifications a while back. They may be captured, but are unlikely to have been much noticed, although they have fairly obvious intelligence potential and likely enough are not being excluded from any program for collecting encrypted email.

The plain fact is, however, that most people (I think nearly all) simply do not care enough if their traffic is sent in the clear to make the minimal effort required to switch to use of PGP or the like.

Re: Interesting

In the US, both organisations and individuals are protected by the Constitution, specifically by the Fourth Amendment, A government agency would not be permitted to access the information released (as described int the article) without a warrant. It is not clear why a non-government organization, although not constrained by the Fourth Amendment, should be given a pass when it does so. That is not, of course, entirely applicable to someone who receives and releases the information without actually committing CFAA violations.

These constitutional and legal protections apply to all, including criminals and criminal organizations, and even those who might be seen as "leading the crusade against constitutional rights ." The presumption that some individuals and organizations are entitled to less consideration than other under the Constitution and laws has no place in the US, and I suspect that, with allowance for constitutional differences, it also has no place in the UK.

Re: So GCHQ wants to help the terrorists and Russians?

It is not entirely clear that encryption with vulnerabilities is worse than what most of us have, and have had, which is no encryption. Indeed, that is fairly obviously not true.

Re: Trust?

Stipulating that equipment shipped from the US might be subject to interception and modification, the same certainly is true of similar equipment shipped from non-US addresses. The variable is who does the interception and modification, so the operational decision might be about your choice of third party intervenor. On the other hand, interception and modification by a government agency in the receiving country also would be a possibility, one not under the control of either sender or receiver, and that is not one about which either has a choice.

There also is a strong case for open source hardware, and for great care about things like cables, as some of Snowden's stolen documents show. It is reasonable to assume that the Chinese and Russian governments, among others, have roughly equivalent capabilities and motivations.

Re: Back Story

It is a not a conflict of interest at all. It is purely agency action to enhance its prestige and power, along with that of its commissioners. I would like to see an example of any government agency, in any country, that did not engage in such activity regularly to the maximum of its legal authority and capability.

Re: Thanks FCC

The geographic monopolies are not a matter of national policy, but rather local franchises granted by pliant city councils, augmented by laws in a few states that disallow municipal communications services.

State and local governments are far easier than the federal government to lobby successfully.

Re: @Mark 85

The base data certainly was self-submitted and the subject of the investigation will know what it was. I know what I put in my SF86. A good deal of additional information will be there too, such things as credit status and in some instances medical or psychological information, and criminal history. Subjects will know, or could, most of that as well. The SF86 is submitted along with signed releases to collect quite a lot of data.

What I, and other subjects do not know is what additional information was added based on interviews with references and others identified during the review process. An incumbent politician might very well have an interest in knowing that, or background investigation information about others who are or might become their adversaries or opponents.