This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.
Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.
We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:
-
Shaming.
-
Attempting to 'build consensus' or enforce ideological conformity.
-
Making sweeping generalizations to vilify a group you dislike.
-
Recruiting for a cause.
-
Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.
In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:
-
Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.
-
Be as precise and charitable as you can. Don't paraphrase unflatteringly.
-
Don't imply that someone said something they did not say, even if you think it follows from what they said.
-
Write like everyone is reading and you want them to be included in the discussion.
On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.
Jump in the discussion.
No email address required.
Notes -
Following the Texeira leak, I have a question which I do not see covered at all in any of the press. Has been there any investigation started into the security structure failures that led to these leaks? It is obvious that it is a systemic failure - a glorified janitor shouldn't have an access to top secret documents, and most of these documents didn't have much business to be on National Guard airbase anyway, they don't have anything to do with whatever Air Force is supposed to be dealing with. Somebody is responsible for the security on Otis Air National Guard Base - and that somebody screwed up big time. Do we know about anybody being places on leave, suspended, demoted, whatever it is? What is the usual procedure in the Army when something like this happens? How much consequences could be expected to people responsible for preventing such things from happening?
Just a question for the tech community here. Why is it necessary to give someone permission to read the contents of a file in the course of network maintenance, support, and upgrades? It seems like most of that would involve file integrity, moving files about, backing them up, but it doesn’t seem obvious that anything in that job should require the ability to be able to open or read the files in plain text. Had he downloaded encrypted files, it’s doubtful that anyone outside the CIA/FBI and other cleared individuals would be able to break a top secret encryption scheme, which makes it appear that the files themselves were in plain text. But I can’t think of a good reason to not encrypt this stuff in such a way that people without authorization can read them even if they managed to download them and sneak out with them (which also shouldn’t be possible).
It is not. However, working with encrypted files is harder than with plaintext ones, e.g. something like search is much harder (though with recent advanced in homomorphic cryptography may be finally possible). On top of that, from what experience I have hard with government systems, they are often old, technologically backwards and poorly maintained. And the Higher Powers usually do not understand how the systems work and what is the conditions there, until it's too late (i.e. seeing the article in WaPo about a security leak).
A far bigger deal is that large organisations don't want to lose data to a forgotten password - where the organisation can, of course, also "forget" a password by virtue of the person who knows it ragequitting or falling under a bus. That stops you using the types of encrypted storage that actually work.
In general, if you can recover from a forgotten password, then the (generally relatively junior) IT guy who handles password recovery can steal your data. As a "Cyber Transport Systems Journeyman", Texeira had that kind of access.
This is all solvable - and largely solved - problems. There are multi-key schemes where you could store passwords in a place that can be unlocked, for example, by using any two (or any other numbers) keys out of N - so each top officer on the base gets one of those master keys, and then if such situation happens, they call two or three of them together and unlock that password. One of the ways to do it, another just make multi-key encryption to the data itself (it's practically the same thing as nobody uses passwords now to directly encrypt data, there are usually intermediate keys anyway).
Even if you use some kind of off-the-shelf commercial product that does not support easy password recovery, because of course as an US Army with trillion dollar budget and its own research branch that invented the freaking internet, you are not able to use state-of-art technologies, there are still off-the-shelf products that offer password management and recovery. It's not something that nobody else heard of, it's a known problem with known solutions.
Only if you design your security poorly. Day-to-day password recovery should require something that the legit user has and IT guy doesn't (phone, card, device, name of the dog, whatever - there are dozens of ways). Hit-by-a-bus password recovery should require participation of higher level key holders - and they should bear the responsibility for the misuse (aka you give your colonel's keys to the janitor - you may get early retirement and never make a general, etc.) There are a lot of schemas that allows to handle it without giving access to IT janitor to every single bit of top secret data.
I agree that the problem is solvable in an organisation that actually cares, although I disagree that it is easy. Banks (which probably care more about securing money than the military does about securing classified information) do in fact do all these things. And even they run into the problem that any system that requires busy executives to do their own admin will be circumvented. The US army (and, frankly, every peacetime army) is the type of organisation where every colonel has given his keys to the janitor at some point. Quora is absolutely full of "war stories" of the type "I, as a lowly PFC ordered to guard the outer door of a SCIF had to point my rifle at a colonel who was mishandling classified information, and the following morning the brigadier congratulated me." Colonels wouldn't do that if the more normal response was for the PFC to let them.
I never said it's easy. I deal with security professionally from time to time (though mode code security than people security) and I would never use the word "easy" when it comes to security. Yes, it requires effort, thought, careful application and the most important, as you very correctly noted - "organisation that actually cares". Of these, the US military has plenty of resources and access to plenty of smart people, more than capable to solve such problems - but as I suspect, it is just not that kind of organization. They say they care, but in the immortal words of Forrest Gump, careless is as careless does.
I have no doubts fuckups happened and will happen, now and forever on. Most of all in the military. What I am more interested in is what happens after. Does the colonel lose their chance to become general and gains eternal shame, demotion to managing the least important storage of old socks in the nation, and derision of all his peers - or he keeps failing upwards until one day he may become Chief of Staff? Is there some push to make it happen less often, on the usual SNAFU response?
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link