[thingexplainer]

It seems like contractors are a massive attack surface for the DoD. I do wonder why they gave a clearance to someone who was apparently a hoarder. If collecting things that interest you in a compulsory manner doesn't suggest to you that this person might be abused by foreign powers, but marijuana use does, your secrets will flow like water.

[dsl]

The government has all sorts of pay guidelines on what people can make, which makes it near impossible for them to retain talent. Most of the NSA guys I know put in 18 or so months, then go to Booz Allen and get contracted right back to the department they left at 4x the pay (one guy even got his same desk back).

Every time someone points out the "why'd they give a clearance to X person" argument, I point out that there are close to a million people with security clearances. No screening system is perfect, but for something being ran by the government it is pretty damn good.

[w8rbt]

It's roughly 5 million people. The number fluctuates, but way more than 1 million people have US government issued security clearances.

http://www.defenseone.com/business/2015/04/number-security-c...

[gnarbarian]

I contract for many large state and federal agencies.

For better or worse, contractors are easier to hire and fire for the federal government. That gives them more budgetary flexibility. You can also hire people and companies that specialize in the specifics of the project quickly through established contracting channels with established reputations.

Contractors are also able to legally bypass red tape and bureaucracy required of federal employees. For instance if I was directly employed by one of my clients i would be severely limited in the toolchain that I use and I wouldn't even be allowed admin access on my development machine (despite having it on multiple servers which are orders of magnitude more sensitive). If I was their employee, every time I needed to install a java update I'd have to call up IT sit on hold and explain to them exactly why I need to install this update etc.. I've had it literally take a week of futzing around with bizarre errors (from the crazy policy settings and restrictions on the laptop) on hold with some poor schmuck at a national level helpdesk four time zones away who has zero experience with programming trying to get a dev-enviornment set up on a government laptop which would have taken literally an hour on a computer I have local admin access on. I would rather be waterboarded than do that again. Contracting and having our own rules saves literally unending amounts of pointless bullshit. Many things would probably never get completed internally because of situations like this. Of course those contractor advantages cut both ways when considering security.

In OP's situation I'm not sure him being a contractor makes any difference. Either kind of employee can take a usb stick home and transfer stuff to a compromised PC. A contractor or employee may have gotten their clearance a long time ago and unless they have some kind of regular unannounced random inspection of their home you'd never know if they were a hoarder. And if they never caused or were involved in a security incident in the past there would probably be very little desire to bother shaking them down. I'd say problems in this category may be worse internally. I've met many husks of people in government positions who have been there for decades and are completely unemployable. What's worse is they can't be fired easily like a contractor so as long as they show up sober 9-5 they never leave.

Not saying it's a good situation. The contractor knowingly and clearly broke laws, policies, and rules. I annually have to take record keeping and security courses and quizzes to maintain access to the network. I am sure the contractor implicated here had much more stringent requirements than I have due to his clearance level. Thus this guy's screwed, his company is screwed too. legally too. Lord knows this guy can't pull strings at the DoJ to save his ass like some people from recent memory.

[JohnStrange]

What I find astonishing is that these machines have working USB ports at all. And even if there are some external media connections like DVD burner or USB, wouldn't it make sense to at least hardwire them to some tamper-resistant logging device that protocols who used them at which time?

[gnarbarian]

You have to trust your employees at some point. If he was writing code he also could have written back doors to access and download it from somewhere else.

[chucksmash]

I'm certain I remember hearing about the military at least filling USB ports with epoxy at one point after the Manning leaks.

[thingexplainer]

This has been SOP in certain places for a long time.

[thingexplainer]

As an outsider looking in, it seems like there have been a lot of DLEs due to contractors though. Theres the obvious example of Snowden, but also the QinetiQ breach (https://www.bloomberg.com/news/articles/2013-05-01/china-cyb...). Moonlit Maze might be a counterexample.

[gnarbarian]

I think that's because most of the people doing the work are contractors. Not because of some notion of contractors being less secure/loyal/honest/organized than gov employees.

For one federal organization I work for literally everyone I work with and talk to at all levels seems to be a contractor except for a couple people. the ratio is at least 20:1 contractors to federal employees. As for why this is, it's mostly related to the reasons I mentioned in my wall of text

[thingexplainer]

I agree, I never meant to imply that I thought contractors were less loyal. I appreciate the depth of your responses and hope I haven't given offense.

There are just so many of them that it projects the attack surface of the DoD out; now you can attack contractors which aren't as tightly regulated, and they might hire people to, say, build their website that aren't even cleared. So now I can steal some web dev's credentials and pivot towards classified networks.

[gnarbarian]

No offense taken. And yes external contractors can pose additional security vulnerabilities since they are not always under the same security policies on their own machines. I know that some departments are changing things so all work must be performed on government equipment with government source control on internal networks. If my client does this I will definitely quit. I am already pretty burned out on the work (their policy is all internal projects must be in cold fusion)

[walshemj]

Don't they have random searches? when I went to HMGCC for an interview (at Hanslope Park) a couple of years back there was a sign up saying that you could be searched on entry and exit.

[logfromblammo]

Ever hear a plastic Wal-Mart shopping bag referred to as a "cloaking device"? Also, in some places, items that are banned when referred to by their proper names are allowed when they are instead called "contractor equipment".

The problem is that the level of control required for actual security prevents people from being able to do their jobs effectively. And if no one can get anything done, there's nothing to secure. So this leads to an environment where everything is oversecured by default, and bypassing the nominal level of security is simple, easy, and commonplace--sometimes even expected.

For instance, you don't have local administrator access on your workstation. But you have Visual Studio and its debugger, and can compile and run any source you can type in. You also have physical access to the machine, with its 5.25" removable-media drive. It becomes faster and easier to reimplement an unzip utility from a printed spec than to get 7zip installed on your machine. And the hand-rolled utility probably has a larger exposed attack surface than the open source program.

[thingexplainer]

He must've hidden it in his Rubix cube.

[gnarbarian]

not where I work. Also, random could mean once every 10 years. I use a laptop and take it home every night. Unless they banned users from taking everything with them (phones keychains etc) there's not much a random search would accomplish.

[walshemj]

I know people who worked at places where taking a phone into work with a camera in was verboten.

And for high security places why on earth would they allow people to work on laptops that are taken home every night an obvious security risk.

[jhalstead]

Indeed. I worked in a secure environment for about 4-5 years, and we couldn't bring our cellphone (of any type) or any other electronics/storage devices/etc. into work. In fact, while working there I had surgery that required me to lug around a medical device 24/7 for a while. And because the device had an exposed USB port, I wasn't allowed to return to work until after I no longer needed it. That took roughly 1 month.

[gnarbarian]

well we don't even work onsite. I write my code on my company laptop. Test against a sanitized database on my companies network and whatnot. Then commit to my companies source control. Then I pickup my government issued locked down laptop, vpn in, remote desktop to the server across the US and svn-update.

I am not dealing with TS stuff here. There are files on the government network which are confidential and having access does require a clearance, but I don't actually work with confidential data directly.

[ChoHag]

Apple are well known for being ridiculously paranoid about products being leaked before their announcement, so much so that at one point they put eye-height frosting (not the cake type) on the glass walls to stop people accidentally looking in to the factory floor.

My bag was checked once in the 5 weeks I worked there - on the way in. The passwords I created for their new servers (containing metrics from the factory's build and test processes) was at one point walking around Cork in their admin's wallet. I used my own laptop (because OSX bleugh) plugged straight into their corporate lan.

But they did have a room which was out of bounds.

Nobody gets security right, however "high security" they think they are.

Oh and let's not get started on what the MoD thinks it's achieving in its immigration office.

[nommm-nommm]

collecting things that interest you in a compulsory manner vs marijuana use

The key difference to the government is hording can be perfectly legal while marijuana use requires you to participate in the black market.

[thingexplainer]

Which is a pretty flimsy reason to believe an adversary might find leverage against you. But hoarding is a force multiplier in the adversary's favor.

[nommm-nommm]

I think it's more about willingness to participate in black market activities makes you untrustworthy in the government's eyes.