% fortune -ae paul murphy

The wikileaks don't add up

There's something not right about the story behind the wikileaks documents.

First of all, we're told that Manning simply took rewriteable Lady Gaga DVDs to work, copied text files to them, and walked them out for eventual file re-assembly and transfer to wikileaks.

If the server(s) involved ran one of the Unix or zOS derived OSes cleared for use in secure environments access logs would have been created automatically - and at least in the case of zOS or Solaris alarms sent to the duty officer responsible for data center operations within a few seconds of the first byte being written to a detachable storage device.

Further, had he done this using a USB or DVD drive connected to a Sun Ray served from Solaris, that officer could have replaced or erased the file before the device could be dismounted.

In both cases, furthermore, software that looks for patterns in file accesses comes with the security upgrades - meaning that repeated accesses neyond his need to know would assuredly have triggered security interest.

It's also possible that he used a PC accessing one or more Wintel servers. While I regard allowing wintel on a secure system as demonstrating both incompetence and negligence, some people argue that the cost/benefit trade-off in doing it is acceptable and have thereby created a market for software intended to mitigate the more obvious risks.

The bottom line is that no matter the technology he had to have help to pull this off - although whether that assistance was intentional or simple gross negligence by many people concurrently isn't clear.

And there's a corollary here, I think, for those of us who work in civilian IT - because an Oracle case study on this could sell a lot of gear, software, and support to lawyers and others handling customer confidential information simply by pointing out that the logging software is standard on Solaris, alerting scripts are trivial, and the connection of external devices like USB drives to Sun Rays need not be allowed for most users.

The second thing that's not right about the wikileaks story is content related: in both rounds much of what came out was already known; became politically damaging only because the journolist community choose to notice; isn't a threat to national security; doesn't expose many good guys - defined as people working for the security and defense of the United States - to hazard; trails irresistible information in front of their opponents; and, exposes a lot of foggy bottom thinking to public ridicule.

Both leaks also managed to expose a lot of hypocrisy: The New York Times, for example, refused to publish the climategate letters exposing some of the global warming fraudsters on the grounds that the material had been stolen from University servers, but immediately published material believed stolen from American DoD servers - presumably because community rejoicing in the pentagon papers episode halos Assange as a kind of folk hero for their side of the political debate.

Both leaks also lend support to Bush era policies - from comments on WMD found in Iraq to background on activities in and by Iran and North Korea, there's a lot in both rounds to prevent future historians from taking the NYT/Economist axis seriously as a source of factual information.

All of which leads to a moral dilemma: I cannot condone leaking classified material even if that classification is often inappropriate and being misused to shield the guilty - but I've worked in secure environments and simply don't believe even wintel style pretend security could have let this happen undetected and undeterred; overall rather like the results; and keep thinking that Sun Tse might, were he alive today, see something deeply honorable in the risks taken, and the obstacles overcome, in making this happen.


Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.