Linux - Uncensored

[#] Fri Sep 09 2011 01:57:20 PM EDT from the_mgt @ Uncensored

But it makes sense, I was just going to ask why you have confidential ratings per paragraph in a medium as "email"... :)

[#] Fri Sep 09 2011 02:08:25 PM EDT from Sig @ Uncensored

Sep 9 2011 1:57pm from the_mgt @uncnsrd
But it makes sense, I was just going to ask why you have confidential
ratings per paragraph in a medium as "email"... :)

Why portion mark when the entire e-mail system is on a ridiculously classified network? Because different things are accessible to different people, get declassified at different rates and are subject to the Freedom of Information Act. It's a big mess. The message as a whole must be classified at the highest level of any of its content, but if a recipient wants to use some of the information in it, he needs to know what that particular bit is classified to. Overclassification creates "cylinders of excellence" where no one can share anything with anyone else, which pretty much defeats the purpose of intelligence services.

[#] Fri Sep 09 2011 03:47:10 PM EDT from the_mgt @ Uncensored

Yes, but using email for this whole process is like communicating via posters on a campus and marking some sections "not to be read by students"...

SSL or not, you have the unencrypted message body lying around on a mobile phone or another unencrypted system, like your averade windows desktop, and you are allowed to choose your own email client... I would have expected something like enigmail and encryption enforcement policy for receiving devices, at least. I even expected a special locked client with paranoid security. Heck, all my linux systems have luks encrypted partitions (yes, root, too) and I am still bothered because /boot is unencrypted :)

But I do understand the concept of parapgraph/email classification now, makes sense.

[#] Fri Sep 09 2011 05:58:30 PM EDT from Sig @ Uncensored

OH, okay, I'm mixing up two different conversational threads. The phone/AKO CAC-only issue is not classified; nothing higher than Unclassified//For Official Use Only is allowed on that network. It's simply how we conduct normal business (announcements, admin, evaluations, scheduling, blah blah blah). We don't portion mark that; by definition, if you put something classified on it, you're doing it wrong.

Despite that, they are going to the CAC-only authentication because it's considered what used to be called Sensitive But Unclassified (SBU). If someone were on our company mailing list, for example, they could do something nefarious like plant a bomb at our company picnic site or intercept our convoy en route to a training site or something equally silly and annoying.

As a practical matter, enforcing CAC authentication merely convinces the soldiers not to bother using it. It's not HARD, exactly, to install, but you have to follow steps in the right order and install some stuff on your computer, and the early versions had a pretty bad reputation for b0rking Windows. Experience as the admin guy for our unit says that most people won't bother unless you make it dead-stupid-simple because the perceived benefit is minimal: "Oh, I jump through all of these hoops so I can check my e-mail only on this one machine, and now I have the great boon of being able to use a really shitty web portal that is state of the art 2002? And crashes frequently for no reason? And has a 100 megabyte total storage limit? And strips out attachments and links?"

Gee, sign me up.

It's annoying enough when you at least have machines to use at work (on base) that are CAC-enabled. But for the reserve component, we get a double whammy: we don't SEE each other except once a month (and so are more reliant on e-mail) and we don't have ready access to CAC-enabled computers unless we do it ourselves. Net result: Even before this change, perhaps half of my company used their Army e-mail address as their main point of contact; everyone else used some other e-mail address (and because I cared about communication more than policies that I can't enforce), I sent to those addresses. This will only increase.

[#] Fri Sep 09 2011 06:01:36 PM EDT from Sig @ Uncensored

The Air Force and NSA actually have put together a thumb drive Linux distro for use on "untrusted" computers so you can access what you need in a secure manner (still unclassified), but as long as I need a Windows application to digitally sign electronic documents with my CAC, I will be tied to Windows.
Even if you configure CAC access on Linux or OS X, you still can't digitally sign the documents that we use, and more and more things are requiring this (evaluations, for example).

[#] Sat Sep 10 2011 07:45:19 AM EDT from the_mgt @ Uncensored

Ah, yes, thats a terrific system! Enforcing security which the users see as superflous is the nightmare of any admin... Especially if it isn't even for really classified stuff. And I can totally see people working around these restrictions.

At the university, people with access to the accounting software need a smart card too, combined with a pin code they can choose by themselves. Of course these pins are birthdates of themselves, familymembers or equally stupid numbers and the smartcard is kept in an unlocked drawer somewhere near the computer. All this because they are pissed off by the software (three letter acronym, founded by ex-IBM people, you might guess which one I am referring to) and it isn't their money in the first place.

I guess your admins should build the thumbdrive with CAC reader included (I guess it is RFID/NFC of some sort), so after booting off of it and inserting card, everything works fast and fine and nothing gets stored on untrusted computers.

[#] Sat Sep 10 2011 09:59:04 AM EDT from Sig @ Uncensored

The new ones will be RFID; we install readers (which are provided) for the current gen. I can live with a dongle, but the other stuff borders on ridiculous.
The Army is still struggling with common sense issues that the private world has come to grips with a decade ago. No official business on personal hardware, but they don't provide you any. Meanwhile, God help you if you don't pay for a cell phone because they need to be able to reach you 24/7--but that is okay, for some reason. Just don't check your e-mail on it.

[#] Sun Sep 11 2011 10:35:49 PM EDT from IGnatius T Foobar @ Uncensored

SSL or not, you have the unencrypted message body lying around on a
mobile phone or another unencrypted system, like your averade windows
desktop, and you are allowed to choose your own email client... I

This, of course, seems insanely counterproductive, when you consider that the average Windows desktop is *far* more likely to have been compromised than the average mobile phone.

An application running on a mobile phone is, at best, sandboxed -- and, at worst, telling you exactly what actions it's asking permission to perform.

[#] Mon Sep 12 2011 01:41:16 AM EDT from the_mgt @ Uncensored

Yes, I agree, but there are things such as Bloover and your average mobile phone is lost or stolen easier/more often than an average windows desktop. It is all theory, though, I guess if you want to, you can steal the CAC in the first place, etc. :)

[#] Thu Sep 15 2011 01:13:44 PM EDT from saltine @ Uncensored

I think theres still a market for two-way pagers. Solves so many issues.
Company doesnt incur a huge cost; sets a barrier to help encourage work-life balance.

[#] Thu Sep 15 2011 04:45:23 PM EDT from IGnatius T Foobar @ Uncensored

What makes it a better value over SMS?

And are today's two-way pagers nothing more than text-capable phones minus the phone part?

[#] Fri Sep 16 2011 06:48:56 AM EDT from dothebart @ Uncensored

they were called sidekick, and were aquired by microsoft (and discarded like webos) a while ago.

Thu Sep 15 2011 13:13:44 EDT from saltine @ Uncensored

I think theres still a market for two-way pagers. Solves so many issues.
Company doesnt incur a huge cost; sets a barrier to help encourage work-life balance.

[#] Mon Sep 19 2011 08:55:06 AM EDT from saltine @ Uncensored

If its hard to use, it's a barrier to being a pest on your employees.

[#] Tue Sep 20 2011 10:53:07 AM EDT from the_mgt @ Uncensored

Subject: Linux livecd with different virusremovers

I just found out that TRK3.4 fails totally in the virus check department at the moment. I used to use it for offline removal of virii on our windows desktops, now I need a replacement. Any recommendations? bitdefender, f-prot and vexira would be nice.

[#] Tue Sep 20 2011 02:20:37 PM EDT from IGnatius T Foobar @ Uncensored

Hey, does anyone know whether run-parts(8) will execute binaries, or does it require scripts?

[#] Fri Sep 23 2011 10:34:16 AM EDT from Ford II @ Uncensored

never tried it, dunno.

I just found out you can run screen in screen. How cool is that.

[#] Tue Sep 27 2011 03:55:01 PM EDT from IGnatius T Foobar @ Uncensored

"Yo dawg, I heard you like screens so I put a virtual console in your virtual console..."

[#] Sat Oct 01 2011 10:55:50 PM EDT from the8088er @ Uncensored

I have always avoided doing that because .... if you ^A C for instance, which screen session takes it?

[#] Sat Oct 01 2011 11:23:39 PM EDT from fleeb @ Uncensored

"Her complications had complications."

[#] Tue Oct 04 2011 09:09:34 PM EDT from Ford II @ Uncensored

I have always avoided doing that because .... if you ^A C for instance,

which screen session takes it?

The outermost one. So if you wnat to get the inner one, you have to ^A A C.
you get used to it fairly quickly.