Whats gov policy around Alexas and like half the IOT market? My botvac even has a microphone. I'm sure it's "don't ever speak about outside of this room" sort of thing.
I guess phone calls would be over a secure line. Are there secure cell phone towers/whatever? I'm curious how gov phones are hardened.
A relative of mine used to work in this space 20 years ago. Seems policies haven’t changed at all.
Tangental story about how serious the Gov takes OpSec. When I was in Iraq, a Marine in my unit found a roll of red Classified tape. He thought it would be cool to put a strip on his personal laptop, which was confiscated almost immediately. It was very clearly a personal machine, but policy is policy, and he never got that laptop back.
Oh yeah, they take it seriously most of the time. But you do get seemingly odd outputs from those procedures. Case in point...
Many years ago, I worked part-time for a small construction cost management contractor. They did some TS work for DoD/State (usually combo projects, where NSA/CIA/Army had a wing of a consulate that State managed).
I did not have a TS (or any other clearance) at the time. One day, I'm tasked with counting the windows and doors in an old hospital in Munich. All the room numbers are Sharpied out in one half of the building.
So, it's pretty obvious "men in black pajamas" are using that wing. I just don't know the room numbers.
Seemed super weird to me that only the numbers were considered secured info. I'm sure there was an explanation.
Years later, a friend-of-a-friend was moving to Munich to do "State Department" work (he was an HVAC contractor with a TS). Off hand, I said "oh, I bet you'll be in wing X, floor Y or Z in the old hospital". He about fell over that somebody in no way associated with his agency would know that. Got a chuckle from me.
The number of SCIFs increased a ton, especially in contractors being allowed to have their own SCSI rooms. The number of clearances also went up a lot, and the cycle time on granting a clearance got much faster. Overall some things got relaxed, other things got stricter, scale increased everywhere.
IMO the biggest factor in the increase is just the ever-increasing DoD budget
> Tangental story about how serious the Gov takes OpSec.
...and yet, Chelsea Manning walked in with nothing more than a CD player and a self labeled CD-RW and exfiltrated tons of data from a secured facility.
From a friend who worked in IT work at DIA c. 2000: there were an absurd, non-zero number of researchers with clearances who surfed for porn while on [SN]IPRNet, networks they knew were monitored, and unsurprisingly were caught and lost their careers. Nonzero. I'd posit the reason it continued for so long was the real reasons for termination were kept secret to avoid organizational and political embarrassment but at the expense of not setting an example.
If individuals in this particular demographic are hired but lack self-control and are sexually frustrated, then they're potentially huge liabilities to being recruited by adversaries (MICE). It would seem that before issuing clearances, these factors should be assessed rather than going through a standard clipboard audit by the FBI. And, while holding clearances, positive socialization opportunities should be encouraged if not artfully arranged. Who's ever going to leave a job or be disloyal when your boss or some coworkers expedite the love lives of those who aren't already full in that regard? This implies fostering a layer of socially astute managers. It would be a radical departure for government culture perhaps, but a necessary one to ensure the integrity and stability of a clandestine community. Happiness isn't just recognition or sufficient autonomy, but total happiness beyond work. (Throw away the "work-life balance" cliche that is tired and paid lip-service to.)
My company infosec training actually advises you don't have voice assistants or cellphones in your work area. They even make light of it in the video: "I know it sounds crazy, but it's not".
Google and Amazon as the biggest voice assistant makers are, of course, our competitors. But they are competitors to I would say most software companies in some fashion.
We have been told that so many times at work, but I know most snr people seem to leave them and their smart watches in listen mode as they occasionally go off in video calls.
Once in a zoom call my watch said “sorry, I didn’t understand that”… and simultaneously the watch the other person on the call was wearing said the same thing!
I wouldn't be surprised if something like the Apple Vision Pro becomes common in such spaces (and for classified / company-confidential work in general) over the next few years.
I think the combination of biometric authentication with a display that is immune to cameras and shoulder-surfing is really powerful. If the device has anti-screenshot protection and automatically logs the user out when removed from their head, there's virtually no way to quickly transfer sensitive documents out of it.
How strictly are SCIF policies enforced? I'm just a civilian who's never had exposure to that world, but based on my experience with other parts of the government, I'd expect SCIF compliance to fall on a broad spectrum from "sloppy or non-existent" to "overly strict and paranoid." Is my intuition accurate? Who's accountable for the compliance of a given SCIF - can anyone with clearance "setup a SCIF" or does it need to be registered, audited, etc?
In my experience, they are seriously enforced, though any time you have a large number of people you'll definitely find exceptions. The threat of massive fines and long jail times tends to encourage compliance. Also, many of the people who work in SCIFs know they are dealing with information that, if released, could lead to a number of people getting killed (think intelligence sources) or a country being unable to defend itself because a US weapon system was compromised (think Ukraine). Nation-states are working to extract information from SCIFs, it's not a theoretical problem, and SCIF users know this.
I don't work in this space, but many of my friends do, as did my father.
SCIF policies are usually strictly enforced. But, that's the most secure workplace available to civilians and they aren't all that common. They also tend to be located in facilities that are higher-than-normal security. Out here in Reston, all my friends who work in SCIFs are also in fenced/gated complexes with paramilitary guards.
There are secure (but not SCIF) facilities that probably vary more. My father's little 6 person contracting office had a secure room, with a Dod approved design and a safe inside, for contracts that required that level of security (State/DoD facilities in China and Russia required TS clearance, other projects varied).
The people that work in SCIFs also generally take it seriously. TS+poly is worth a big chunk of salary here in DC and not something to risk (and that's ignoring that flaunting those laws is a felony for anybody not named Trump). And most believe in the mission (whatever that happens to be). The work spans everything from military hardware to CIA or NSA operations. And a lot of stuff that probably doesn't really need to be TS, but that's a whole other discussion.
It's actually more restrictive than the sibling makes it sound. A SCIF can't have any radio-transmitting device, recording device, or storage media without special approval. Computers hooked up to classified networks can't have USB ports. Even medical devices are case by case. My wife requires hearing aids and needed them to be analyzed and approved by a security team before she could bring them in. Pacemakers require approval.
The phones and networks are hardened by being their own separate network from public networks. The lines are all buried and protected and utilize hardware-encrypted point to point tunnels to merge with public backbone fiber. I've told an anecdote here many times of working at a facility where AT&T contractors dug too close to a JWICS fiber cable and had an unmarked black SUV show up in minutes to confiscate all of their gear and question them.
Keep in mind the military has been encrypting radio traffic over hostile territory for a century, so they don't even necessarily require the lines themselves to be physically secure as long as the endpoint devices are. Encryption keys are loaded from hardware random number generators that are synced manually on some rotating basis determined by local command or national policy, depending on the intended reach of the comms device. The NSA has something called a key management infrastructure for the wide-area computer net that replaced the legacy system a few years ago that is similar to PKI, but keys are only issued in-person and stored on unnetworked hardware key loaders that are kept in locked arms rooms on military installations (or with deployed units). There is, of course, also a DoD and IC PKI so they can still use develop and use regular web applications and browsers, but it is also more restrictive than regular PKI. Everything requires client certs and mutual TLS and you need to be personally sponsored to get your personal certificates.
It's actually really cool the way the JWICS websites work because your client cert provides an identity that is linked to your sponsoring agency's clearance database and web apps automatically redact content on the server side that you are not cleared to see. It's possible I'm making up memories but I think I've seen at least a few cases where some applications can do this inside of a single page, but typically you get a denial for an entire application if you're not cleared for the highest level data it provides.
I almost hate to say it because it's antithetical to the Internet and Hacker News ethos, but it's a testament to how well networked applications could work with a central authority and no anonymity. You don't need passwords. Accounts are provisioned automatically. SSO is global to the entire network. You only need one identity. But no, your office can't have Alexa.
> I almost hate to say it because it's antithetical to the Internet and Hacker News ethos, but it's a testament to how well networked applications could work with a central authority and no anonymity. You don't need passwords. Accounts are provisioned automatically. SSO is global to the entire network. You only need one identity. But no, your office can't have Alexa.
I don't think it's necessarily a dealbreaker if you consider this: from a purely technical standpoint, there's nothing really stopping anyone from setting up a certificate authority- the only issue is getting service providers to trust it enough to accept those client certs as sufficient identification. I could easily imagine a world where I receive an "official" client cert from a government (which I can use to thoroughly prove my identity if needed) as well as several "pseudonymous" certs from various other CAs that I may use from time to time.
The main difference between CAs would be the kind of attestations they provide for a given certificate holder. For example, I could imagine a CA which (for example) is set up to attest that any holder of a certificate signed by them is a medical doctor, but will not (by policy) divulge any additional information.
Or perhaps a CA which acts as a judge of good character- they may issue pseudonymous or anonymous certs, but provide a way for application owners to complain about the behavior of a user presenting that cert.
I'm sure there are plenty of holes that can be poked in this model but I don't think it'd be completely out of the question?
There is an entire industry for secure phones. Many have to be "unlocked" before dialing other secure phones. It isnt simple. Getting a normal phone line to passively carry an encrypted call is a bit of a hack.
The hack is getting the unsecure system not to damage your encrypted signal, to carry even though it is expecting plain voice talking rather than a stream of binary digits.
Dialup actively co-operates with the telephone system - e.g. the screeching at the start is designed to disable echo cancellers and other such mechanisms.
Because the signal transmitted over normal phones has to be encrypted. That encrypted signal will then be digitized/compressed by the standard phone line. Any artifacts in the phone line digitization might turn the encrypted signal into gibberish. Its like compressing a jpeg too many times. So you need an encryption method that isnt simple digitization. You need something that is encrypted but essentially sounds like human speech so that the digitization/compression process does not damage it.
They were, they got compressed with G.711 or G.722.
In fact, that's why your 56kbps modem would often fall back to 38.4kbps or 28k8, until the phone company installed a fancy new exchange that demodulated the 56kbps stream and didn't compress it. The 56kbps was also due to sampling limits/bandlimiters, on the same copper line you could also get a fully digital ISDN line that did 64kbps. (And if they remove all the filters and band limits, you can reach DSL speeds.)
There's nothing inherently special about voice-compression compared to any other kind of interference/distortion you can get on an analogue line.
But that same re-compression happens with modem traffic. Your 56k modems deal with compression artifacts just fine, though sometimes dropping down to lower speeds.
I guess phone calls would be over a secure line. Are there secure cell phone towers/whatever? I'm curious how gov phones are hardened.