FBI Wiretapping Audit Secrets Uncovered Via Ctrl+C

mytrip notes a story in Wired's Threat Level blog on the latest boneheaded government moves with redaction. (We've been discussing redaction follies here for years.) This time it's an FBI report (PDF) on implementing CALEA — you can select text from redacted areas, copy it, and paste into a text editor, as University of Pennsylvania professor Matt Blaze discovered. From Wired: "Once again, supposedly sensitive information blacked out from a government report turns out to be visible by computer experts armed with the Ctrl+C keys — and that information turns out to be not very sensitive after all... [Among] the tidbits considered too sensitive to be aired publicly: The FBI paid Verizon $2,500 apiece to upgrade 1,140 old telephone switches. Oddly the report didn't redact the total amount paid to the telecom — slightly more than $2.9 million dollars — but somehow the bad guys will win if they knew the number of switches and the cost paid."

Secrets Kept to avoid Embarrassment

[curmudgeon99]

This is a classic example of secrecy being used not for national security but to avoid embarrassment. There are likely thousands of these types of secrets that cost money to keep but that are for no reason at all. Ass clowns.

Entertaining to whom?

[Anonymous Coward]

Can we get a new category, like "Gallows Humor"?

Besides, we shouldn't be reporting on this stuff-- our only defense against this government anymore is its own monumental stupidity.

Who's responsible..?

[ricebowl]

"Once again, supposedly sensitive information blacked out from a government report turns out to be visible by computer experts armed with the Ctrl+C keys

What confuses me is that, and I might be too generous in my assumption, I assume that there's an IT professional somewhere that looks over these released files prior to their release? I know that common sense is entirely too uncommon these days, but if I were to release a digital file (whether to an individual or the public) I'd make sure that someone from the IT department looked it over before release.

Otherwise it's like having a flu vaccine released by managers that went nowhere near an immunologist or virologist.

Still, I'm sure that, sometime soon, MS will remove the Ctrl+C combination. For national security, of course.

Re:Who's responsible..?

[MrMr]

...assume that there's an IT professional somewhere that looks over these released files prior to their release?

Apparently you have never worked for a government department.

Otherwise it's like having a flu vaccine released by managers that went nowhere near an immunologist or virologist.

or in the pharmaceutical industry.

Re:Who's responsible..?

[Bushcat]

No, the "IT professional", if any, will have been excluded by the "incredibly thick underlings" thinking they actually have a clue. I've worked in such environments: the thicker the person, the more that person thinks s/he knows, and the more important that person believes s/he is.

LOL!

[sm62704]

visible by computer experts armed with the Ctrl+C keys

The FBI is trying to trick me into thinking they're all stupid so they can find out where I've got the 500 acre marijuana farm with its fiftten thousand tons of marijuana in the barn, 500 beautiful hookers and the casino downstairs, where you can buy white lightning and moonshine.

Meanwhile, Osama's still loose.

Attention FBI: Look, dumbasses, print the damned thing out, black out the parts that embarrass the President and your Director with a magic marker and scan it to a TIF file (that's a graphics format, guys. Pay attention!) and "print" THAT to PDF.

But you already know that, you're trying to find my pot gambling hooker farm!

The mosaic effect

[Anonymous Coward]

Now, I'm all up for good gov't conspiracy, and working for the gov't, I know how they spend inappropriately.

But there is something called the mosaic effect. The short of it is that you have two (or more) documents. None of them by themselves are sensitive, but as a group, they become sensitive because they give you a complete picture. It's quite possible that this redacted info gives that picture.

In addition, gov't entities regularly leave out the specifics like the number of switches because they do not want to demonstrate the scope of their operations. Not for any malicious reasons, but for what they perceive as a security risk. It might be a false risk, but it's not malicious.

Re:Too much UNIX for me

[Anonymous Coward]

yeah, you're 100%.

those guys were just involved in a dick-measuring "biggest nerd" contest.

Re:Who's responsible..?

[Tim C]

I know that common sense is entirely too uncommon these days, but if I were to release a digital file (whether to an individual or the public) I'd make sure that someone from the IT department looked it over before release.

A month or so ago our HR director distributed professionally-printed copies of the new Employee Handbook to everyone in the company.

It is full of typos, grammatical errors, strange changes of tense or person, weird extra line breaks, etc. You'd have thought that someone would have proof read it, or at the very least approved a sample print before the full run was produced.

Point being that people take it upon themselves to do things all the time without seeking input from others.

Follow the evil overlord tips

[vecctor]

When I read this, the first thing I thought of were the evil overlord rules - specifically this one:

One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation.

They just need to have some intern to sit around and spot obvious flaws in document security. Any idiot giving this doc a cursory examination would have found this.

How much!!!

[JaJ_D]

The FBI paid Verizon $2,500 apiece to upgrade 1,140 old telephone switches. Oddly the report didn't redact the total amount paid to the telecom â" slightly more than $2.9 million dollars â" but somehow the bad guys will win if they knew the number of switches and the cost paid.

It's more likely that the total number is large and people go "ok must be a lot" but at 2.5k usd per switch people would go "how fucking much!!!" - that's what they may want to avoid

Jaj

this just goes to show

[v1]

how abused and misapplied all those "in the interest of national security" procedures are when there is no oversight in place. When will the legislators ever learn, anything that can be abused or misused, will be abused and misused in the absence of oversight? It's not even "might" or "is very likely". It always happens. It's human nature to take advantage for personal gain without risk. They censor anything that they want to, for any agenda, because they can. And this just exposes that truth.

Now watch how they react to it. Do they straighten up their censorship policies? of course not. They'll simply make the abuse harder to discover.

Re:Too much UNIX for me

[Anonymous Coward]

In other words, it's just another thing that Microsoft stole from someone else?

this actually makes some sense...

[virmaior]

from an information security standpoint, this actually makes some sense. Allow me to explain. First, the high value number is going to show up in budgets anyway, so anyone who wants that number could already find it. It's hard to not have a few million dollars show up in the accounting somehow. Second, the reason the exact dollar value per part is usually redacted is that this is a giant clue as to the identity of the part used in the infrastructure. E.g. if I tell you I have a $300 mp3 player, then you know that I have an IPOD. But if I tell you that I bought a bunch of mp3 players and spent $100,000 then you don't know whether I've bought Zens, Zunes, ipods, sansas, or something else. And the problem with telling people what your infrastructure is made of who shouldn't know is that it enables them to focus on vulnerabilities for just that one device. caveat: I actually have a $10 mp3 player.

"Sorry to bust your bubble"or"The Mundane Answer"

[Specter]

The actual cost of performing the service was likely redacted, not as a matter of national security, but because the pricing is contractually considered proprietary information .

Most companies include this as a standard clause in their master service agreements so that Joe's Barber shop isn't upset that Big Government Office is getting a different (presumably better) price for exactly the same service.

Re:Too much UNIX for me

[SL Baur]

It's more like they are very common hot-keys for any GUI app.

C-SPC, C-w/M-w, C-y work just fine for me and we were using those keys before there was a Microsoft Windows, Linux or even modern Unix.

Now get off my lawn!

Why the cost per switch would be redacted

[gizmonic]

The reason to hide the cost per switch is to keep the negotiations invisible from other providers. Sure, you can report $2.9 million to Verizon, but AT&T doesn't know how many switches that was or the cost per switch. Maybe they worked out a cheaper deal with AT&T for, say, $2,000 per switch instead of $2,500. If AT&T knew what Verizon was getting paid, they'd hold out for more themselves. While it may seem silly to hide the details, doing so probably saves a little cash in the long run.

Of course, now, if they ever need to do more switches, I am betting every vendor will be holding out for the highest publicized price (or their own private price, if it's higher still). So, yeah, sometimes disseminating what you think is non-critical information will in fact cost us more in the long run. Revealing it may not make "the bad guys win" but it can definitely make the taxpayer lose.

Just my unredacted $0.02.