Gary McKinnon
Game Over

Saturday July 9, 2005
The Guardian

Gary McKinnon has been accused of committing the 'biggest military computer hack of all time', and if extradited to the US faces up to 70 years in jail. So how did this techno geek from north London end up cracking open the Pentagon and Nasa's systems? He talks exclusively to Jon Ronson as he awaits his fate

The following correction was printed in the Guardian's Corrections and clarifications column, Saturday July 23 2005

In the following article we incorrectly referred to a piece of software called Remotely Anywhere as a hacking programme. The programme, made by 3am Labs, is designed for remote access and administration. It is used by thousands of enterprises worldwide. We apologise for the unintended misrepresentation.

In 1983, when Gary McKinnon was 17, he went to see the movie WarGames at his local cinema in Crouch End, north London. In WarGames, a geeky computer whiz kid hacks into a secret Pentagon network and, inadvertently, almost instigates world war three. Sitting in the cinema that day, the teenage Gary wondered if he, too, could be a hacker.

"Really," I say to him now, "War Games should have put you off hacking for life."

"Well," he replies, "I didn't mean it to actually come true." War Games ends with the Pentagon telling the young nerd how impressed they are by his technical acumen. He's probably going to grow up to have a brilliant career at Nasa or the department of defence. This is an unlikely scenario for Gary McKinnon. He currently faces 20 charges in the US, including stealing computer files, obtaining secrets that might have been "useful to an enemy", intentionally causing damage to a protected computer, and interfering with maritime navigation equipment in New Jersey. Last month he attended extradition proceedings at Bow Street magistrates court - he had, the American prosecutors said, perpetrated the "biggest military computer hack of all time". He "caused damage and impaired the integrity of information ... The US military district of Washington became inoperable and the cost of repairing the shutdown was $700,000 ... These [hacking attacks] occurred immediately after 9/11 ... " And so on.

This is Gary's first interview. He called me out of the blue on the Monday before last, just as I was screaming at my child to stop knocking on people's doors and running away. "Your son sounds like a hacker," he told me. Then he invited me to his house in Bounds Green, north London. He is good-looking, funny, slightly camp, nerdy, chain-smokes Benson & Hedges, and is terrified. "I'm walking down the road and I find I can't control my own legs," he says. "And I'm sitting up all night thinking about jail and about being arse-fucked. An American jail. And remember, according to them I was making Washington inoperable 'immediately after September 11'. I'm having all these visions of ... " Gary puts on a redneck prisoner voice, "'What you doing attacking our country, boy? Pick up that soap.' Yeah, it is absolutely fucking terrifying. Especially because a friend of mine was on holiday in America once and was viciously attacked and ended up killing the guy who attacked him - he did 10 years in an American prison. He's quite a tough guy, and he said he had to fight tooth and nail every single day, no let up at all. And I'm thinking, 'I'm only a little nerd'."

The prison sentence the US justice department is seeking - should Gary be successfully extradited - is up to 70 years. What Gary was hunting for, as he snooped around Nasa, and the Pentagon's network, was evidence of a UFO cover-up.

Gary McKinnon was born in Glasgow in 1966. His father ran a scaffolding gang, but his parents separated when he was six and he moved to London with his mother and stepfather, a bit of a UFO buff. "He comes from Falkirk," Gary says, "and just outside Falkirk there's a place called Bonnybridge, which is the UFO capital of the world. When he lived there, he had a dream that he was walking around Bonnybridge seeing huge ships. He told me this and it inflamed my curiosity. He was a great science fiction reader. So, him being my second father, I started reading science fiction, too, and doing everything he did."

Gary read Isaac Asimov and Robert Heinlein - "the golden age of science fiction" - and he joined Bufora, the British UFO Research Association, when he was 15. Bufora describes itself as "a nationwide network of around 300 people, who have a dedicated, noncultist interest in understanding the wide-ranging extent of the UFO enigma".

"So you began to believe in UFOs," I say.

"To hope," says Gary, "that there might be something more advanced than us, keeping a friendly eye on us. Hopefully a friendly eye." Then he saw WarGames, and he thought, "Can you really do it? Can you really gain unauthorised access to incredibly interesting places? Surely it can't be that easy." And so, in 1995, he gave it a try.

He sat in his girlfriend Tamsin's aunt's house in Crouch End, and he began to hack. He downloaded a program that searched for computers that used the Windows operating system, scanned addresses and pinpointed administrator user names that had no passwords. Basically, what Gary was looking for - and found time and again - were network administrators within high levels of the US government and military establishments who hadn't bothered to give themselves passwords. That's how he got in.

His Bufora friends "were living in cloud cuckoo land", he says. "All those conspiracy theorists seemed more concerned with believing it than proving it." He wanted evidence. He did a few trial runs, successfully hacking into Oxford University's network, for example, and he found the whole business "incredibly exciting. And then it got more exciting when I started going to places where I really shouldn't be".

"Like where?" I ask.

"The US Space Command," he says.

And so, for the next seven years, on and off, Gary sat in his girlfriend's aunt's house, a joint in the ashtray and a can of Foster's next to the mouse pad, and he snooped. From time to time, some Nasa scientist sitting at his desk somewhere would see his cursor move for no apparent reason. On those occasions, Gary's connection would be abruptly cut. This would never fail to freak out the then-stoned Gary.

He sounds to me like a virtuoso hacker, although I am someone who can barely download RealPlayer. I nod blankly as he says things like, "You get on to easy networks, like Support and Logistics, in order to exploit the trust relationship that military departments have between each other, and once you get on to an easy thing, you find out what networks they trust and then you hop and hop and hop, and eventually you think, 'That looks a bit more secretive.' " When I ask if he is brilliant, he says no. He's just an ordinary self-taught techie. And, he says, he was never alone.

"Once you're on the network, you can do a command called NetStat - Network Status - and it lists all the connections to that machine. There were hackers from Denmark, Italy, Germany, Turkey, Thailand ..."

"All on at once?" I ask. "You could see hackers from all over the world, snooping around, without the spaceniks or the military realising?"

"Every night," he says, "for the entire five to seven years I was doing this."

"Do you think they're still there? Are they still at it? Or have they been arrested, too?"

Gary says he doesn't know.

"What was the most exciting thing you saw?" I ask.

"I found a list of officers' names," he claims, "under the heading 'Non-Terrestrial Officers'."

"Non-Terrestrial Officers?" I say.

"Yeah, I looked it up," says Gary, "and it's nowhere. It doesn't mean little green men. What I think it means is not earth-based. I found a list of 'fleet-to-fleet transfers', and a list of ship names. I looked them up. They weren't US navy ships. What I saw made me believe they have some kind of spaceship, off-planet."

"The Americans have a secret spaceship?" I ask.

"That's what this trickle of evidence has led me to believe."

"Some kind of other Mir that nobody knows about?"

"I guess so," says Gary.

"What were the ship names?"

"I can't remember," says Gary. "I was smoking a lot of dope at the time. Not good for the intellect."

This was November 2000. By now, Gary was hooked. He quit his job as a systems administrator for a small business, "which hugely pissed off my girlfriend Tamsin. It was the last straw. She dumped me and started seeing this other bloke because I was such a selfish waste of space. Poor Tamsin. And she was the one paying the phone bill because I didn't have a job. We were still living together. God, have you ever tried living with someone after you've split up? It's bad."

So while Tamsin was trying to get on with her new relationship, Gary was in the living room of her aunt's house, hacking. He snooped around all the Forts - Fort Meade, Fort Benning, etc - reading internal court martial reports of soldiers getting imprisoned for rape and murder and drug abuse. At the Johnson Space Centre he spied on photographs of cigar-shaped objects that might have been UFOs but - he says - were probably satellites. "You end up lusting after more and more complex security measures," he says. "It was like a game. I loved computer games. I still do. It was like a real game. It was addictive. Hugely addictive."

It was never really politically motivated. The most political he's ever got is to attend a Noam Chomsky lecture. A John Pilger book sits on the coffee table next to his bed. Yes, he was hacking in the immediate aftermath of September 11, but only because he wanted to see if there was a conspiracy afoot. "Why did the building fall like a controlled series of explosions? " he says. "I hate conspiracy theories, so I thought I'd find out for myself."

"And did you find a conspiracy?" I ask.

"No," he says.

He strenuously denies the justice department's charge that he caused the "US military district of Washington" to become "inoperable". Well, once, he admits, but only once, he inadvertently pressed the wrong button and may have deleted some government files.

"What did you do then?"

"I thought, 'Ooh, bloody hell,' " he says. "And that's when I stopped for a while. And then my friend told me about Darpa. And so I started again."

Darpa is the Defence Advanced Research Projects Agency, an intriguing collection of brilliant military scientists, funded by the Pentagon. Darpa has been widely credited with inventing, among other things, the internet, the global positioning system, the computer mouse, and - somewhat more boneheadedly - FutureMAP, an online futures market designed to predict assassinations and bombings by encouraging investor speculation in such crimes. The US Senate once described FutureMAP as "an unbelievably stupid idea". Darpa has long been of interest to conspiracy theorists because it is semi-secretive, bizarre (they have put much effort into creating a team of telepathic spies) and occupies that murky world that lies between science and war.

Gary heard from a friend that Darpa might have invented a robot soldier, so he hacked in and claims he found evidence of "an autonomous machine that would go in and do the dirty work. These things could go upstairs and look for bombs. You wouldn't have to send in real people. And I also found these awful special forces training videos of guys running around, doing close-quarter battle. It was ridiculous. These yellow words would flash on to the video: 'BRUTALITY! REMEMBER BRUTALITY! SHOCK! DOMINATION!' You're thinking, 'Oh my God!' It was like Batman." I tell Gary that I've seen videos like that - incredibly fierce special forces training videos - when I was researching my book about US psychological operations.

"It's as if investigative journalism has died," he replies. "That's all I was doing. The only difference between you and me was that you were invited."

Gary was caught in November 2002. He says it was inevitable, in retrospect, because he was "getting a bit sloppy". He pauses. "I'd never have envisaged this happening to myself, but I did get a bit megalomaniacal as well. It got a bit silly. I ended up talking to people I hacked into."

"Saying 'I'm a hacker'?"

"No," he says, "I'd instant message them, using WordPad, with a bit of a political diatribe. You know, I'd leave a message on their desktop that read 'Secret government is blah blah blah.' " They found Gary in the end because he'd used his own email address to download a hacking program called RemotelyAnywhere. "God knows why I used my real email address," he says. "I suppose it means I'm not a secretive, sophisticated, checking-myself-every-step-of-the-way type of hacker."

On the night before his arrest, Gary had been up playing games. "Maybe I'd been doing a bit of weak, fun hacking, too," he says. "I'd had one hour's sleep, and I woke up completely muddled, and suddenly at the bottom of my bed there was this voice: 'Hello, my name's Jeff Donson from the National High Tech Crime Unit. Gary McKinnon, you're under arrest!' They put Tamsin and me in the meat-wagon. They took my PC, Tamsin's PC, three other computers I was fixing for friends. They went upstairs and took my girlfriend's auntie's daughter's computer."

Gary was kept in a police station overnight. Then the Americans offered him a deal, via his British solicitor. "They said, 'If you incur the cost of the whole extradition process, be a good boy, come over here, we'll give you three or four years, rather than the whole sentence.' I said, 'OK, give me that in writing.' They said, 'Oh no, we can't do that.' So they were offering a secret trial, no right of appeal on the outcome, no comment to the newspapers, and nothing in writing. My solicitor, doing her job, advised me to take it, and when I said no, she was very, 'Ooh, they're going to come down heavy.' "

In return, Gary offered a somewhat hare-brained counter deal, via a Virginia public defender. "I made a sort of veiled threat to them. I said, 'You know the places I've been, so you know the stuff I've seen' kind of thing." He pauses and blushes slightly. "That didn't work."

"So you were saying, 'If you go heavy on me, I'll tell people what I found'?"

"Yeah," he says. "And I found out that my landline was being bugged, so every time I was on the phone talking to a friend about it, I made sure I'd say, 'All I want is a quiet life, but if they really want to drag me through it, I'll drag them through the shit, too.' "

"And what would you have dragged them through the shit about?" I ask.

"You know," says Gary, "the, uh, Non-Terrestrial Officers. The spaceships. 'The whole world thinks it's cooperating in building the International Space Station, but you've already got a space-based army that you refer to as Non-Terrestrial Officers'."

There is a silence.

"I had very little evidence," he admits. "It's not a very good bargaining chip at all, really, is it?"

Given that the justice department has announced that the information Gary downloaded was not "classified", and he was stoned much of the time, perhaps we can assume that Nasa is not too worried about his "discoveries".

I ask Gary what's he's going to do next. He says on Friday he's off to the Trocadero in Piccadilly Circus, for the London 2600 meeting. He explains that they're known as a hacking group, but really they're a bunch of "unqualified experts who drink lots of beer and tell you all the funky undocumented things you can do with your mobile phones. They wire up PlayStation 2s and X-Boxes to dance mats. They play with technology and bend stuff without breaking it."

I ask Gary if they see him as some kind of mythical hero, now that the US government has described him as the biggest military hacker of all time. He says, no, they see him as a complete idiot. And, in some ways, he is indeed a complete idiot. Well, he is a likable and intelligent geeky man who did many, many idiotic things. What he is not, his friends and supporters reckon, is someone who deserves extradition and 70 years in an American jail. They've set up a Free Gary McKinnon website (spy.org.uk/freegary).

Gary's never spoken publicly before, but now, with the extradition proceedings, he says there's nothing left open to him. For a while, it crossed his mind he might end up like the computer nerd from WarGames, having a brilliant career working for them. "They need people like me," he says. But that's not going to happen.

He's also chosen to talk now because his chances of getting a job have diminished to practically zero. "For the first time in the past few years, I just had a solid work offer," he says. "Game-testing. Which would have been a dream for me. I'm still a big kid like that. I'd love to do that for a job. But now, as a condition of this bail, I'm not allowed to touch the internet. So that was out of the window. So. Yeah. I thought, fuck it."

He and Tamsin have split up. He no longer lives in Crouch End but in the nearby, slightly more down-at-heel Bounds Green, and has given up smoking dope. He is not allowed near the internet, not allowed a passport, and spends a lot of time reading and sitting in the pub, awaiting his fate.

Nothing much happened in the years since his arrest in 2002 under the Computer Misuse Act - no charges were brought against him in the UK. Then on June 8 this year, he suddenly found himself in front of Bow Street magistrates, the target of extradition proceedings. That's when the panic attacks kicked in again, the horror visions of life in an American jail. He had poked around, he says, but he hadn't broken anything, besides that one inadvertent mistake. He thought he was going to get a year, max. Now they're talking about 70 years.

"You know," he says as we finish the interview, "everyone thinks this is fun or exciting. But it isn't exciting to me. It is terrifying."

His next extradition hearing is on July 27

Gary McKinnon Interview

Update: A Briton accused of hacking into Nasa and US military computer networks has spoken out about his experiences. (Gary McKinnon was arrested by the UK's national high-tech crime unit in 2002.)
McKinnon earns Lords appeal
Pentagon hacker in legal victory
By John Leyden
Published Tuesday 31st July 2007 10:30 GMT
Gary McKinnon, the British hacker facing extradition over allegations he broke into US Military and NASA sites, has earned the right to take his case to the House of Lords.

The law Lords agreed to hear arguments that US authorities acted in an "oppressive" and "arbitrary" manner during plea bargaining negotiations, for example by allegedly threatening McKinnon over the loss of rights to serve part of his sentence in the UK unless he submitted to voluntary extradition.

The House of Lords was not bound to consider McKinnon's final appeal - for example it declined to hear the appeal of the NatWest Three bankers, so the Lords' decision is a significant fillip for McKinnon and his legal team. (more) 

http://www.youtube.com/watch?v=B4PkNPCEnJM

SPACE COMMAND
General Kevin P. Chilton 
                      Commander, Air Force Space Command

"The establishment of Space Command is a crucial milestone in
the evolution of military space operations. Space is a place--like
land, sea, and air--a theater of operations. And it was just a matter
of time until space was treated as such."
~ General James V. Hartinger, 1 September 1982

Beginning in the mid-1980s, concurrent with the development of space operations and space engineering curricula at the Naval Postgraduate School, the Navy began “coding” officers as space subspecialists. As space subspecialty codes were then assigned to particular officers’ billets on numbered Fleet staffs and at commands ashore, the service began assigning Navy members with matching codes to those positions. More recently, the Navy has begun efforts to build a cadre of “space smart” officers, enlisted personnel and civilian employees.

The Naval Space Cadre is composed of active-duty and reserve Navy and Marine Corps officers and enlisted personnel, along with Navy civilian employees from a wide range of career fields who meet mandatory education, training and experience standards established for a particular certification level. The Navy Space Cadre is a distinct body of expertise horizontally and vertically integrated within Navy and Marine Corps active duty, reserves and civilian employee communities organized to operationalize space

Initial identification of the cadre began in mid-2001 with the standup of the Naval Space Cadre Working Group and culminated in a naval message (NAVADMIN 201/03 DTG211435Z JUL 03) announcing the first 700 officer members of the cadre. These officers were identified by the subspecialty codes of 6206, Space Systems Operations, and 5500, Space Systems Engineering or by the additional qualification designator of VS1, VS2, VS3 or VS4. Identification of enlisted and civilian cadre members is more challenging, as these groups do not have specif?ic space identifiers like the officers do. 

Approximately 265 billets are currently identified as space billets. These jobs are in Navy, joint and National Security Space organizations. Space cadre members are currently assigned throughout the National Security Space arena, including the National Reconnaissance Office, National Security Space Architect, National Security Space Integration, MILSATCOM Joint Program Office, as well as in all Navy organizations that deal with space.

High Frontier
The Journal for Space and Missile Professionals
Summer 2004
SOURCE: Air Force Space Command

Internet Presents Web of Security Issues

By Paul Stone
American Forces Press Service

WASHINGTON, Sept. 25, 1998 – In a briefing room deep in the Pentagon earlier this year, Air Force Lt. Col. Buzz Walsh and Maj. Brad Ashley presented a series of briefings to top DoD leaders that raised more than just a few eyebrows.

Selected leaders were shown how it was possible to obtain their individual social security numbers, unlisted home phone numbers, and a host of other personal information about themselves and their families simply by cruising the Internet.

Walsh and Ashley, members of the Pentagon's Joint Staff, were not playing a joke on the leaders. Nor were they trying to be clever. Rather they were dramatically, and effectively demonstrating the ease of accessing and gathering personal and military data on the information highway information which, in the wrong hands, could translate into a vulnerability.

"You don't need a Ph.D. to do this," Walsh said about the ability to gather the information. "There's no rocket science in this capability. What's amazing is the ease and speed and the minimal know-how needed. The tools (of the Net) are designed for you to do this."

The concern over personal information on key DoD leaders began with a simple inquiry from one particular flag officer who said he was receiving a large number of unsolicited calls at home. In addition to having the general's unlisted number, the callers knew specifically who he was.

Beginning with that one inquiry, the Joint Staff set out to discover just how easy it is to collect data not only on military personnel, but the military in general. They used personal computers at home, used no privileged information not even a DoD phone book and did not use any on-line services that perform investigative searches for a fee.

In less than five minutes on the Net Ashley, starting with only the general's name, was able to extract his complete address, unlisted phone number, and using a map search engine, build a map and driving directions to his house.

Using the same techniques and Internet search engines, they visited various military and military-related Web sites to see how much and the types of data they could gather. What they discovered was too much about too much, and seemingly too little concern about the free flow of information vs. what the public needs to know.

For example, one Web site for a European-based installation provided more than enough information for a potential adversary to learn about its mission and to possibly craft an attack. Indeed, the Web site contained an aerial photograph of the buildings in which the communication capabilities and equipment were housed. By pointing and clicking on any of the buildings, a Web surfer would learn the name of the communications system housed in the building and its purpose.

Taking their quest for easily accessible information one step further, the Joint Staff decided to see how much information could be collected just by typing a military system acronym into an Internet search engine. While not everyone would be familiar with defense-related acronyms, many of them are now batted around the airwaves on talk shows and on the Internet in military-related chat rooms. They soon discovered how easy it was to obtain information on almost any topic, with one Web site hyper-linking them to another on the same topic.

What the Joint Staff was doing when they collected their information is commonly called "data mining" -- surfing the Net to collect bits of information on individuals, specific topics or organizations, and then trying to piece together a complete picture. Individuals do it, organizations do it and some companies do it for profit.

While the information they discovered presented legitimate concerns, it wasn't all negative. The Army's Ft. Belvoir, Va., home page was cited as one example of a Web site which served the needs of both the military and the public. It had the sort of information families or interested members of the public need and should get.

So what does all this mean? Is DoD creating individual and institutional security problems? In the rush to make information available to the internal audience, is too much being made available to the public and those who might want to inflict harm?

The Joint Staff doesn't pretend to have all the answers to these questions, but is encouraging users to think about these issues whenever they put information on the Internet; and they believe that, in some cases, DoD is it's own worst enemy.

Michael J. White, DoD's assistant director for security countermeasures, agrees with the Joint Staff analysis. Moreover, as a security expert, he is concerned DoD does indeed exceed what needs to be on the Internet.

"For fear of not telling our story well enough, we have told too much," he said. "Personally, I think there's too much out there and you need to stop and ask the question: Does this next paragraph really need to be there, or can I extract enough or abstract enough so that the intent is there without the specificity? And that is hard to do because we are pressed every day. So sometimes expediency gets ahead of pausing for a minute and thinking through the process: Does the data really need to be there? Is it going to hurt me tomorrow morning?

DoD's policy on releasing information to the public, as spelled out by Defense Secretary William Cohen in April 1997, requires DoD "to make available timely and accurate information so that the public, Congress and the news media may assess and understand the facts about national security and defense strategy." The same statement requires that "information be withheld only when disclosure would adversely affect national security or threaten the men and women of the Armed Forces."

"On the one hand," Ashley said, "we have fast, cheap and easy global communication and coordination. On the other hand, we find ourselves protecting official information and essential elements of information against point-and-click aggregation. Clearly, this balancing act is a function of risk management. Full openness and full protection are equally bad answers. We have a serious education, training and awareness issue that needs to be addressed."

The Joint Staff repeatedly returns to the issue of "point- and-click aggregation" as a problem that is often overlooked when military personnel and organizations place data on the Internet. What they're referring to is the ability to collect bits of information from several different Web sites to compile a more complete picture of an individual, issue or organization with very little effort.

"The biggest mistake people make is they don't understand how easy it is to aggregate information," Walsh said.

The lesson from this is that even though what is posted on the Net is perfectly innocent in and by itself, when combined with other existing information, a larger and more complete picture might be put together that was neither intended nor desired.

A more obvious problem, yet still one not always considered when posting information on the Internet, is that the "www" in Web site addresses stands for "world wide" Web. Information posted may be intended only for an internal audience perhaps even a very small and very specific group of people. But on the Net, it's available to the world.

This, security experts agree, is an enormous change from the time when foreign intelligence gathering was extremely labor intensive and could only be done effectively on U.S. soil.

"If I'm a bad guy, I can sit back in the security of my homeland and spend years looking for a vulnerability before I decide to take a risk and commit resources," Ashley said. "I'm at absolutely no risk by doing that. I can pick out the most lucrative targets before hand, and may even just bookmark those targets for future use. We won't know something has been compromised until it's too late."

White agrees with the Joint Staff's concern.

"You can sit in Germany and have access to the United States just as easily as you can in Australia or the People's Republic of China or Chile," White said. "It doesn't matter where you are. You can go back and forth and in between and lose your identity on the net instantaneously. Those who seek to use the system feel comfortable they won't be discovered."

In addition to these issues, security experts see another recurring and disturbing problem. In the rush to take advantage of the Net's timeliness and distribution capabilities, military personnel are forgetting about or ignoring the For Official Use Only policies which previously made the information more difficult to obtain. Yet anyone using the Internet doesn't have to venture far into the array of military Web sites to come across one which states: "For Official Use Only."

If the information is For Official Use Only, security experts said Web site developers, managers and commanders must ask themselves whether the information should be there in the first place.

While officials are most concerned about the information being placed on military Web sites, they had similar warnings about individual or family Web sites. The Joint Staff recommends the same precautions should apply at home, especially as personnel move into high-ranking, key leadership positions.

At a time when the flow of information is beyond anyone's capability to either digest it or control its direction, it's not likely the problems brought forward recently by the Joint Staff will be solved any time soon. The first step, security experts said, is awareness the problems exist. Commanders have to understand not just the information capabilities of the World Wide Web, but the information vulnerabilities as well.

The second step, Walsh pointed out, is for commanders to become actively involved in the issue of what's being put on the Internet. Current DoD policies require that local commander, public affairs and security reviews prior to release of data on Web pages. But the flow of information is so great, these reviews may not be occurring and few are looking at the aggregation problem.

"I think it would be very appropriate for a public affairs officer to be the commander's lead representative," Walsh said. "But it's a commander's issue and it should go down command lines. This is certainly an operational security issue. Just like operational security is everybody's business, this ultimately is everyone's responsibility."

White concurred and recommends installations create "security-integrated product teams" which would be tasked to develop and implement guidelines for creating and monitoring Web sites on the installation.

"I think having a group come together before the (Web site development) process begins will remove an awful lot of pain in the long run," White said. "We need to step back one step and think before we begin any effort, because once it's done you can't undo it. That makes it very hard in a digital environment."

Although it's not possible to retrieve what's already on the World Wide Web, nor predict how it will influence future security issues, Walsh, Ashley and White believe it's not too late to make a difference. With a little more forethought and a lot more planning, it will be possible to better protect the next generation of warfighters, both on and off the battlefield, they said. 

http://www.defenselink.mil/specials/websecurity/

Web Site Administration - Policies & Procedures

November 25, 1998 
Information Collected from (DefenseLINK) for Statistical Purposes
Department of Defense

    Below is an example of the information collected based on a standard request for a World Wide Web document:

        xxx.yyy.com - - [28/Jan/1997:00:00:01 -0500] "GET /DefenseLINK/news/nr012797.html HTTP/1.0" 200 16704 Mozilla 3.0/www.altavista.digital.com

    xxx.yyy.com (or 123.123.23.12)-- this is the host name (or IP address) associated with the requester (you as the visitor). In this case, (....com) the requester is coming from a commercial address. Depending on the requester’s method of network connection, the host name (or IP address) may or may not identify a specific computer. Connections via many Internet Service Providers assign different IP addresses for each session, so the host name identifies only the ISP. The host name (or IP address) will identify a specific computer if that computer has a fixed IP address.

    [28/Jan/1997:00:00:01 -0500] -- this is the date and time of the request

    "GET /DefenseLINK/news/nr012797.html HTTP/1.0" -- this is the location of the requested file on (DefenseLINK)

    200 -- this is the status code - 200 is OK - the request was filled

    16704 -- this is the size of the requested file in bytes

    Mozilla 3.0 -- this identifies the type of browser software used to access the page, which indicates what design parameters to use in constructing the pages

    www.altavista.digital.com - this indicates the last site the person visited, which indicates how people find (DefenseLINK)

    Requests for other types of documents use similar information. No personally-identifying information is collected.

    4.2. The following notice and consent banner, approved by the DoD General Counsel (reference (hh)), may be used on all DoD Web sites with security and access controls. This banner may be tailored by an organization but such modifications shall be accomplished in compliance with reference (hh), and shall be approved by the Component’s General Counsel before use.

    "This is a Department of Defense Computer System. This computer system, including all related equipment, networks, and network devices (specifically including Internet access) are provided only for authorized U.S. Government use. DoD computer systems may be monitored for all lawful purposes, including to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability, and operational security. Monitoring includes active attacks by authorized DoD entities to test or verify the security of this system. During monitoring, information may be examined, recorded, copied and used for authorized purposes. All information, including personal information, placed or sent over this system may be monitored.

    Use of this DoD computer system, authorized or unauthorized, constitutes consent to monitoring of this system. Unauthorized use may subject you to criminal prosecution. Evidence of unauthorized use collected during monitoring may be used for administrative, criminal, or other adverse action. Use of this system constitutes consent to monitoring for these purposes."

DoD Web Policies And Guidelines

Updated: 13-Oct-2006
Department of Defense

Security

    * AFIS Web Story: Internet Presents Web of Security Issues
    * Information Assurance Support Environment (IASE) - The DoD IA Portal
    * Information Security Program, DoD Directive 5200.1
    * Information Vulnerability and the WWW; Deputy Secretary of Defense Hamre (09/24/1998) - "All DoD Components that establish publicly accessible web sites are responsible for ensuring that the information published on those sites does not compromise national security or place DoD personnel at risk."
    * Security and Policy Review of DoD Information for Public Release - DoD Instruction 5230.29
    * Unauthorized Disclosure of Classified Information to the Public (DoD Directive 5210.50) - policy and responsibilities for reporting and investigating known or suspected incidents of unauthorized public disclosure of classified information and reporting corrective and disciplinary action taken
    * Website OPSEC Discrepancies (SecDef MSG R 141553Z JAN 03) - THE FACT THAT FOR OFFICIAL USE ONLY (FOUO) AND OTHER SENSITIVE UNCLASSIFIED INFORMATION (E.G., CONOPS, OPLANS, SOP) CONTINUES TO BE FOUND ON PUBLIC WEB SITES INDICATES THAT TOO OFTEN DATA POSTED ARE INSUFFICIENTLY REVIEWED FOR SENSITIVITY AND/OR INADEQUATELY PROTECTED. ... THIS CONTINUING TREND MUST BE REVERSED. 

FAIR USE NOTICE: This page contains copyrighted material the use of which has not been specifically authorized by the copyright owner. Pegasus Research Consortium distributes this material without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. We believe this constitutes a fair use of any such copyrighted material as provided for in 17 U.S.C § 107. If you wish to use copyrighted material from this site for purposes of your own that go beyond fair use, you must obtain permission from the copyright owner.
~ MENU ~

 

Webpages  © 2001-2009
Blue Knight Productions