wetwareproblem:

kathrynabbott:

elumish:

Your OPSEC is Bad and You Should Feel Bad

Okay so one of the many things that drives me absolutely nuts about most TV shows and (some) books that involve secret or classified information or secure facilities is how absolutely not secure everything is, so these are a few basic things that people get wrong:

You can’t carry around classified information. There are, I assume, exceptions in specific cases, though they are assuredly very carefully managed, but random intel agent #12 cannot legally just take home classified information so they can work on it at home. That’s incredibly illegal. And that’s for a reason–secure facilities are, as the name suggests, secure. Everywhere else is varying levels of not secure. Even for people working with regular business or government materials on their work phone or laptop, there are varying levels of strict rules about where you can leave it, how to report a lost device, and not keeping it in checked bags.

Badges should be innocuous and limited in visible information. Any sensible security system doesn’t have badges that are numbered/colored/otherwise identified by access level, because that is a really easy way to identify targets for thieves/people who want to break in. American federal ID cards (CACfor military, PIVfor civilian) have really specific layouts. Some companies distinguish between full time employees, interns, vendors, etc in their cards.

Badges shouldn’t be displayed outside of the office. This is not really followed by real people (if you get on the metro on DC you will see a wide variety of visible badges), but displaying a badge is not security-wise because 1) it makes them easier to steal, and 2) it can make you a target.

Names/access level/information shouldn’t be openly announced. I’m looking at you, MCU Spider-Man fanfiction. Just. Don’t.

Confidential/classified information shouldn’t be openly discussed. Stop having your characters talk about confidential or classified information in front of people who shouldn’t know it, or even just out in the open at all. They shouldn’t be telling their parents, their friends, their spouses, etc. Even businesses or government buildings that deal with sensitive information, there may be spaces where certain things can or can’t be discussed, and employees/contractors will go through approximately 8 million trainings on where you can’t discuss certain information. This also involves erasing whiteboards, locking computers, etc.

You can’t have cell phones in certain secure facilities. People shouldn’t be having their cell phones with them in SCIFs. This prohibition extends to all things that can be recording devices, including furbies.

I live in an army town that has a lot of military intelligence and electronic warfare development stuff going on. The end result of this is that I’ve known a lot of people who deal with classified stuff in some nature. This means that I’ve had a lot of experiences of watching TV with someone, only for them to pause and start ranting about this kind of thing, as well as just kind of living in this environment with these people.

So, I have some further things to mention (keeping in mind that this is coming from someone on the outside)!

• I have occasionally asked someone a question (about current events, technology, or something along those lines) and been told, “I can’t talk about that. I don’t think it’s classified, but it’s something I heard in a room with classified information.”
• If someone works in one of these jobs, they will occasionally lie to every single one of their friends and family members. This doesn’t generally bother those friends and family members. Assuming that the nature of their job isn’t classified in and of itself (like claiming to work at a department store when you actually work for the CIA), you just kind of accept it. Sometimes you realize that you’re being lied to, but I suspect most of the time you don’t. But if someone goes on a work trip to a place that’s allegedly a three-hour plane ride away and doesn’t call to tell you they’ve arrived until ten hours later, and then only calls you at 10pm in the time zone they’re allegedly in… maybe there’s something going on that you’re not aware of, and maybe you keep your mouth shut about it.
• On a practical note (and due to many rants from someone I know), no one is going to drop a classified file and have stuff come spilling out. When they are transported, they are kept wrapped up in multiple layers. This not only keeps someone from dropping it and allowing any passersby to read what’s on those papers, but it also acts as a tamper-proof seal. If someone receives a file with torn packaging, you know something’s up.
• Another thing I know, courtesy of a rant from someone who accidentally did this: duress codes and keypads! If you have a location that requires a coded entry, first of all you cannot do a cool trick with a mirror to see what the code is while someone else puts it in. You cannot see it on the camera. IIRC, you will likely stick your hand in a little opaque box to put in the code because the people who design these things are not idiots. Secondly, you will have a duress code. This code will likely still give you access to the room/building/whatever, but it will alert security that you are doing so under duress. This may be by putting in the actual code backwards, or by using a previous code, or something else entirely. In this case, be sure to keep track of which codes are which, so that you don’t leave the lab on a regular day of work to find the hall lined with very concerned (and very armed) security personnel prepared to shoot whoever “forced you to let them in the room” (this story is definitely based on a true story, and we still mock him for it).
• Secure locations are more secure than you think. The previous post mentions things like cell phones and furbies (and yes, everyone in town laughs about the furby thing), but this extends to a lot of other security measures. For example, cable management. In secure computer labs, there are likely to be extensive rules about how close cables can run to each other. You need to know exactly what is doing what, and it needs to be clear that nothing else is there. A mess of cables could easily hide something that’s not supposed to be there.
• For the love of God, learn what a closed network is. If you have a bunch of classified materials that do not actively need to be shared, you cannot hack in from the outside to get access to them. Those computers are not connected to anything outside of that room or facility. Also, if you have a mystery thumbdrive you do not plug it into your network, holy shit what is wrong with you, this is what non-networked devices are for you idiot. There are plenty of computers on hand that completely lack the hardware necessary to connect to another in any way, shape, or form. Your virus can’t turn on the computer’s wi-fi to send information to you because there is nothing to turn on.
• There are a lot of security measures. A lab may have things like thermite grenades on hand. In the event that you need to destroy everything inside, you put the grenade on top of a file cabinet and set it off. It won’t explode, it’ll just melt through the file cabinet, setting everything inside on fire. And yes, that sounds super badass and I kind of want to see this happen.
• Sometimes a person with this kind of clearance is just going to go silent. It may be when you’re watching the news, discussing current events, or when you’re talking about a cool article you just read about some new developments in technology, but it’ll happen. If they’re good at it, you won’t notice. If they’re not, you’ll smile to yourself and keep your mouth shut.
• Also I’ve kind of touched on this, but this is not going to be strange to the people around the person with clearance. The things that I’ve described here are pretty mundane when this is a part of your life. You may joke about it with other people (a friend and I will laugh about her dad’s late night calls that are followed by “I’m leaving town. I’ll be back eventually.”), but this isn’t odd to you. It’s like joking about any other aspect of someone’s job, like a weird fast food uniform or an eccentric boss.
• Kind of connected, but no one who’s been married to someone in one of these jobs for any decent amount of time is going to be mad that their spouse is “keeping secrets” and the next time I see this trope in media I’m going to punch someone. Keeping secrets is literally part of their job and you know that. They will keep those secrets or they will go to jail, and you do not want your loved ones in jail. Depending on the nature of their job, you may worry about them, but you will not be mad at them for not telling you every detail of their day at work. If this kind of thing is a problem, it will be a problem from the start and is just generally a sign of incompatibility.

And finally, and most importantly:

• When doing chair races in the halls, you need a spotter at the end of the hall to alert you when a colonel is approaching so that you can look like serious people who can definitely be trusted with classified information

A bit more information from an infosec perspective, including some stuff you might be able to use:

• The cable placement thing? It’s because cables are antennae, basically.. Any time you power a circuit, it gives off a small radio emission; if you have a secure and an insecure data line next to each other, they can interfere in such a way that you can recover the secure data from the insecure line. Similarly, the wrong cable geometry can boost the signal like a well-shaped antenna, making it detectable from further away.
• Because of the above, if you have a good software-defined radio antenna, the right software, and a highly predictable signal (such as, say, the draw/refresh cycle of a monitor), you can listen in to an insecure machine from a surprising distance. (It’s called Van Eck phreaking.)
• On a related note, if you know enough about the technical details of a CPU, you can reconstruct what it’s doing by listening to the shifts in how much power it draws. Tailored access batteries exist that are designed to do this for specific cell phone and laptop types and transmit the data with a built-in antenna.
• That bit about how your virus can’t turn on the wi-fi in a machine with no network hardware? That’s, uh. Technically true, but it can do GSM and LTE just fine. By playing with the principles I’ve mentioned above, it’s possible to screw with your RAM in such a way that it acts as an extremely small cell tower. (For a real world example, look into GSMem.)