I'll just leave this here. DOSing Visa and Mastercard is one thing, espionage is something very different.
USC Title 18 § 794
Gathering or delivering defense information to aid foreign government
Whoever, with intent or reason to believe that it is to be used to the injury of the United States or to the advantage of a foreign nation, communicates, delivers, or transmits, or attempts to communicate, deliver, or transmit, to any foreign government, or to any faction or party or military or naval force within a foreign country, whether recognized or unrecognized by the United States, or to any representative, officer, agent, employee, subject, or citizen thereof, either directly or indirectly, any document, writing, code book, signal book, sketch, photograph, photographic negative, blueprint, plan, map, model, note, instrument, appliance, or information relating to the national defense, shall be punished by death or by imprisonment for any term of years or for life, except that the sentence of death shall not be imposed unless the jury or, if there is no jury, the court, further finds that the offense resulted in the identification by a foreign power (as defined in section 101(a) of the Foreign Intelligence Surveillance Act of 1978) of an individual acting as an agent of the United States and consequently in the death of that individual, or directly concerned nuclear weaponry, military spacecraft or satellites, early warning systems, or other means of defense or retaliation against large-scale attack; war plans; communications intelligence or cryptographic information; or any other major weapons system or major element of defense strategy.
I don't know, maybe in the most trivial "if it wasn't going to cause a problem, why were they hiding it?" sort of way. But it's not "reason to believe it could be used", it's "reason to believe it was to be used". That is, Anonymous would have to have thought that the Internet intends to use this to hurt the United States, that the people to whom they deliver the information -- people like you and I -- intend to harm the US. Not that they could, but that they would. Harming the US is not among my goals, nor is it among the goals of most people who will see the documents. That's where I think it gets up in the air. I don't think most Anons want to start a war, they just want the American people to protest government secrecy. Bradley Manning didn't get hit with "delivering defense information to aid foreign government" and considering the amount of egg he got on the military's face I'm sure they would've liked to.
Considering "NATO secret" machines are not allowed on networks connected to the internet they hopefully do not have anything to put people on the ground in danger.
There could however have been a breach in protocols and someone accidentally hooked something up but I doubt something that serious could have happened. It's not like you accidentally hook a fileserver up to the internet.
Confidential documents would (could) still be bad but there are strict rules about storing those as well.
I will just say in an air-gap environment the weak link is the military personnel not the computer..did not Manning case set as a precedent? You can have the secret stuff offline to the real internet all you want..some one with a thinking/ethics will at some point leak the stuff....
Don't be delusional, there were/are obviously beaches which are not red herrings. And all that "classified nato secret", "not allowed on networks connected to the internet", "breach in protocols" and "strict rules" are BS.
But to say for sure, we would need a thorough analysis of the incriminated data.
I'm not saying this isn't bad enough. I'm just saying there are rules in place to prevent these kinds of things. Like physical network separation and machines with disabled interfaces (like network, usb, firewire). You would require physical access to steal data from those machines and it would be either guarded or locked away.
Data security is taken very seriously within the military & NATO but I can't speak for how other countries do things. Accidents happen, things are poorly secured.
I'm just speaking from my own experience, even if it is limited.
No I am saying that if they are doing their jobs properly any data accessible from the internet is data that would not pose (much) of a security threat if released. I agree that most likely a lot of them do poor jobs but you should not underestimate their rules, regulations and strictness when it comes to data security.
These documents almost certainly were not classified SECRET: actual classified documents are kept on a separate network that is not connected to the regular internet. They were most likely unclassified documents that were sensitive enough to be kept to restricted access, but not important enough to be classified. If they actually were classified, that means that there was a major breach of protocols just in having them on computers connected to the regular internet.
Anyone with access to classified information is given extensive security training, with regular refreshers. This means that if classified documents to make their way onto an unclassified system, it was done by someone who was specifically trained not to do so.
You are correct that, despite this training, classified information do sometimes accidentally make it onto unclassified computers. It is usually discovered almost immediately (most often by the person who did it), and almost always involves very small amounts of information (it's hard to "accidentally" copy large numbers of files). The bigger the collection of documents, the more likely it is to be discovered quickly. These events are a huge deal because the cleanup process is so extensive and thorough.
I've read a lot of conflicting reports in various articles, probably because most journalists don't understand that words like "secret," "classified," "confidential," "restricted," and "sensitive" all have very specific meanings in a military context and are not interchangeable. As far as I can piece together, the documents in question were merely "restricted," not secret (not classified at all, for that matter).
While I am sure there are protocols that are followed and motions gone through, I don't believe even a little bit that everyone with access to NATO SECRET documents follows these protocols very closely.
We all know how this thing goes. We know we should be using GPG all the time, we know we should be using exclusively unique, long, random passwords for each web site we visit, we know we shouldn't enable JavaScript or Flash unless we have a good reason to trust the site, etc., but out of convenience we ignore almost all of these things that we know are potential security problems.
That same impulse functions in government, and I would assume it would function to an even greater extent because most people just have no comprehension at all that almost every computer network out there, even so-called "high security" networks from whitehats, intel agencies, etc., is just sitting wide open and waiting for someone to come along and ask for its contents.
The one sensible (and probably the least likely outcome) to all of this LulzSec nonsense would be a serious inventory of the state of our computer security as a whole, and new industry standards that actually required, encouraged, and generally deployed competently secured networks. That of course is almost impossible to fathom and I expect we will get a bunch of draconian and incomprehensible legislation making it a crime to type too fast while hacktivists continue to steal everyone's files forever.
I see no end to this kind of activity (because, as before, I don't believe most people, even big companies or governments, will be able to secure their digital resources) and it is a serious potential destabilizing force in our society, which is now so dependent and accustomed to electronic communication. If the government can't secure its networks and is constantly subject to this class of attack, what will it do? And how will the citizenry react? This could have scary, real ramifications before anyone knows it.
>While I am sure there are protocols that are followed and motions gone through, I don't believe even a little bit that everyone with access to NATO SECRET documents follows these protocols very closely.
We all know how this thing goes. We know we should be using GPG all the time, we know we should be using exclusively unique, long, random passwords for each web site we visit, we know we shouldn't enable JavaScript or Flash unless we have a good reason to trust the site, etc., but out of convenience we ignore almost all of these things that we know are potential security problems.
There's a key difference between the security measures you describe, which people tend to neglect, and the protocols that keep classified information off of unclassified systems: the measures you describe are tedious and time-consuming, so people tend to cut corners on them. When it comes to moving information between classified and unclassified networks, the opposite is true: they are completely segregated, so you have to go out of your way to move information back and forth. The simplest way to do it is by sneaker-net, and even that is made difficult because these days the computers on military networks are set up to not mount flash drives, so you would have to burn the files to a CD, then get that CD past various layers of physical security. It can be done, but you have to deliberately go out of your way to do it. It's not something that would happen because someone was being lazy or trying to cut corners.
>...almost every computer network out there, even so-called "high security" networks from whitehats, intel agencies, etc., is just sitting wide open and waiting for someone to come along and ask for its contents.
This is simply not true. All classified information is stored on networks that are not connected to the regular internet. It's not just a VPN: they are completely segregated.
>This is simply not true. All classified information is stored on networks that are not connected to the regular internet. It's not just a VPN: they are completely segregated.
I understand that it's true that there is no physical internet connection to the computers that access that data in many cases. I tend to believe it's not so air-tight as supposed but whatever. The Manning case demonstrates that even keeping your computers on a completely independent network doesn't prevent a low-level employee (or someone using his credentials...) from just waltzing in and taking everything. Manning had access far beyond his needs and he was able to download virtually any data that appetized him. Even on a non-internet system, if you have multiple millions of people with that kind of access, you're going to wind up in trouble and you definitely shouldn't assume that data hasn't gone anywhere.
I also understand that it requires some initial effort to physically move the data from the private network to a computer attached to a public network, but I don't think this is really sufficient to stop the transfer from occurring. The same thing occurs with paper documents -- technically these are never supposed to leave government property (or corporate property, etc), but it is still really common for someone to take copies home. While it takes some effort to take the copies with you, the effort is obviously worthwhile to ensure easy on-demand access.
The same will be in true in cases involving digital documents, and people will take out CDs and email the contents to themselves just out of convenience, so they can pull up the relevant information when they aren't physically at work. I believe that this happens.
If your network has a comparative handful of users this is probably something you can manage, but big corporations and governments have a lot of users and I don't believe that they can keep this stuff from leaking out to the real internet in violation of protocol eventually anyway, and I also don't believe that that'd be sufficient to stop leakage even if it were possible.
Again, we see from the Manning case that even if the network was not connected to the internet, the security on the system was horrible and allowed far, far too much access. Hackability from the internet isn't the only relevant consideration here.
>Hackability from the internet isn't the only relevant consideration here.
True, but it is the central issue in this thread: the documents in question were hacked from a non-classified network.
The scenarios you describe for people circumventing barriers between classified and unclassified systems for the sake of convenience sound quite plausible, until you consider the severe penalties for doing so. With that in mind, only incredibly foolhardy individuals would do so for the sake of mere convenience--a much more serious motivation would be required for most people. In a large enough organization, someone would most likely do it anyway, but it wouldn't be nearly common enough to leave "high security networks...sitting wide open."
Really, the only plausible scenario for significant leakage of classified information is deliberate espionage. I'm not sure why people keep citing Manning as setting some sort of precedent or revealing a previously unknown vulnerability, because this type of espionage has been going on since the beginning of recorded history, and probably even before that. It's the reason why access to classified information requires both a clearance and "need to know." When "need to know" rules are relaxed or ignored, it becomes relatively easy for people to take information that they have no business accessing and simply walk out of the building with it, whether it be hard-copies or soft-copies. This tends to go in cycles, with "need to know" rules gradually loosening until a major incident occurs, after which they are rapidly tightened, and then the whole process repeats. There was a rash of such incidents all at once in the mid-'80s:
http://en.wikipedia.org/wiki/1985:_The_Year_of_the_Spy
Given that Anon has yet use anything other than simple SQLi attacks, I wonder where this data could have been stored (and, by extension, how secret it is). If it was on a public webserver, then one would expect it to be not much more than reports and presentations.
USC Title 18 § 794
Gathering or delivering defense information to aid foreign government
Whoever, with intent or reason to believe that it is to be used to the injury of the United States or to the advantage of a foreign nation, communicates, delivers, or transmits, or attempts to communicate, deliver, or transmit, to any foreign government, or to any faction or party or military or naval force within a foreign country, whether recognized or unrecognized by the United States, or to any representative, officer, agent, employee, subject, or citizen thereof, either directly or indirectly, any document, writing, code book, signal book, sketch, photograph, photographic negative, blueprint, plan, map, model, note, instrument, appliance, or information relating to the national defense, shall be punished by death or by imprisonment for any term of years or for life, except that the sentence of death shall not be imposed unless the jury or, if there is no jury, the court, further finds that the offense resulted in the identification by a foreign power (as defined in section 101(a) of the Foreign Intelligence Surveillance Act of 1978) of an individual acting as an agent of the United States and consequently in the death of that individual, or directly concerned nuclear weaponry, military spacecraft or satellites, early warning systems, or other means of defense or retaliation against large-scale attack; war plans; communications intelligence or cryptographic information; or any other major weapons system or major element of defense strategy.