FBI Wiretapping Audit Secrets Uncovered Via Ctrl+C 231
mytrip notes a story in Wired's Threat Level blog on the latest boneheaded government moves with redaction. (We've been discussing redaction follies here for years.) This time it's an FBI report (PDF) on implementing CALEA — you can select text from redacted areas, copy it, and paste into a text editor, as University of Pennsylvania professor Matt Blaze discovered. From Wired: "Once again, supposedly sensitive information blacked out from a government report turns out to be visible by computer experts armed with the Ctrl+C keys — and that information turns out to be not very sensitive after all... [Among] the tidbits considered too sensitive to be aired publicly: The FBI paid Verizon $2,500 apiece to upgrade 1,140 old telephone switches. Oddly the report didn't redact the total amount paid to the telecom — slightly more than $2.9 million dollars — but somehow the bad guys will win if they knew the number of switches and the cost paid."
Secrets Kept to avoid Embarrassment (Score:5, Insightful)
Entertaining to whom? (Score:2, Insightful)
Besides, we shouldn't be reporting on this stuff-- our only defense against this government anymore is its own monumental stupidity.
Who's responsible..? (Score:5, Insightful)
What confuses me is that, and I might be too generous in my assumption, I assume that there's an IT professional somewhere that looks over these released files prior to their release? I know that common sense is entirely too uncommon these days, but if I were to release a digital file (whether to an individual or the public) I'd make sure that someone from the IT department looked it over before release.
Otherwise it's like having a flu vaccine released by managers that went nowhere near an immunologist or virologist.
Still, I'm sure that, sometime soon, MS will remove the Ctrl+C combination. For national security, of course.
Re:Who's responsible..? (Score:5, Insightful)
Apparently you have never worked for a government department.
Otherwise it's like having a flu vaccine released by managers that went nowhere near an immunologist or virologist.
or in the pharmaceutical industry.
Re:Who's responsible..? (Score:3, Insightful)
LOL! (Score:4, Insightful)
The FBI is trying to trick me into thinking they're all stupid so they can find out where I've got the 500 acre marijuana farm with its fiftten thousand tons of marijuana in the barn, 500 beautiful hookers and the casino downstairs, where you can buy white lightning and moonshine.
Meanwhile, Osama's still loose.
Attention FBI: Look, dumbasses, print the damned thing out, black out the parts that embarrass the President and your Director with a magic marker and scan it to a TIF file (that's a graphics format, guys. Pay attention!) and "print" THAT to PDF.
But you already know that, you're trying to find my pot gambling hooker farm!
The mosaic effect (Score:3, Insightful)
But there is something called the mosaic effect. The short of it is that you have two (or more) documents. None of them by themselves are sensitive, but as a group, they become sensitive because they give you a complete picture. It's quite possible that this redacted info gives that picture.
In addition, gov't entities regularly leave out the specifics like the number of switches because they do not want to demonstrate the scope of their operations. Not for any malicious reasons, but for what they perceive as a security risk. It might be a false risk, but it's not malicious.
Re:Too much UNIX for me (Score:2, Insightful)
those guys were just involved in a dick-measuring "biggest nerd" contest.
Re:Who's responsible..? (Score:2, Insightful)
A month or so ago our HR director distributed professionally-printed copies of the new Employee Handbook to everyone in the company.
It is full of typos, grammatical errors, strange changes of tense or person, weird extra line breaks, etc. You'd have thought that someone would have proof read it, or at the very least approved a sample print before the full run was produced.
Point being that people take it upon themselves to do things all the time without seeking input from others.
Follow the evil overlord tips (Score:5, Insightful)
How much!!! (Score:5, Insightful)
It's more likely that the total number is large and people go "ok must be a lot" but at 2.5k usd per switch people would go "how fucking much!!!" - that's what they may want to avoid
Jaj
this just goes to show (Score:5, Insightful)
Now watch how they react to it. Do they straighten up their censorship policies? of course not. They'll simply make the abuse harder to discover.
Re:Too much UNIX for me (Score:1, Insightful)
this actually makes some sense... (Score:3, Insightful)
"Sorry to bust your bubble"or"The Mundane Answer" (Score:3, Insightful)
Most companies include this as a standard clause in their master service agreements so that Joe's Barber shop isn't upset that Big Government Office is getting a different (presumably better) price for exactly the same service.
Re:Too much UNIX for me (Score:3, Insightful)
Now get off my lawn!
Why the cost per switch would be redacted (Score:3, Insightful)
Of course, now, if they ever need to do more switches, I am betting every vendor will be holding out for the highest publicized price (or their own private price, if it's higher still). So, yeah, sometimes disseminating what you think is non-critical information will in fact cost us more in the long run. Revealing it may not make "the bad guys win" but it can definitely make the taxpayer lose.
Just my unredacted $0.02.