But how do we leak without webmail?

Well this is all very interesting, however I am feeling extremely acronymically challenged.
But I know a TLA when I see one.

JC said :

creative_canberran said :

Fact: You’re confusing the national-security clearance ratings with the non-national-security ratings. Security-in-confidence, department-in-confidence, cabinet-in-confidence and so on, you’ll find those on internet connected terminals.

Fact: Restricted is a national security rating. In some, not all department this can be found on machines connected to the Internet, Defence being a prime example of where it IS allowed. Indeed the rules even allow restricted to be sent over the Internet legally but it is still a national security rating.

You can send higher than Restricted or In-Confidence over the Internet also, you simply need to use the appropriate crypto. The details are in the ISM.

creative_canberran said :

Fact: You’re confusing the national-security clearance ratings with the non-national-security ratings. Security-in-confidence, department-in-confidence, cabinet-in-confidence and so on, you’ll find those on internet connected terminals.

Fact: Restricted is a national security rating. In some, not all department this can be found on machines connected to the Internet, Defence being a prime example of where it IS allowed. Indeed the rules even allow restricted to be sent over the Internet legally but it is still a national security rating.

creative_canberran said :

Best check you’re facts.

Best check your spelling.

creative_canberran said :

Fact: All access through public service computers to the internet is through Government DNS servers, owned by the government and operated under contract; which control traffic, log on and privileges. Same for ACT Government computers. They’re all on their own intranet which then has a facility to go through to the internet.

You’re obviously not an IT guy or you wouldn’t be confusing DNS servers with a Secure Gateway Service. Also, they’re not all operated by outside providers under contract. Some are run in-house.

creative_canberran said :

Fact: Only the log in screen for most webmail services is encrypted. If you log in to Hotmail right now, you’ll see the HTTPS replaced with HTTP once you log in. Further, the actual email once sent wouldn’t be encrypted anyway unless you manually assigned a Digital Certificate to it. Meaning it leaves a record of it on every server before it reaches a destination. A typical email will exist for a time on 7 different servers.

Fact: No, I won’t see HTTP because Hotmail has offered everyone HTTPS-only connections for several months now. Gmail much longer. They’re not the only two webmail providers doing it, and they handle the majority of webmail users, so your statistics are either off or misleading.

If SSL is used, whether the email itself is encrypted is irrelevant as the governernment department (and their gateway provider) are unable to see inside the HTTPS connection. Sure, add PGP or whatever if you’re paranoid.

creative_canberran said :

Fact: a web proxy server is simply a way to route your connection to a website through an intermediary server that masks your IP address from the visited website’s server. It doesn’t prevent your ISP (which on a government computer is the government) from seeing that you visited that proxy. And given operating systems by default transmit little details like the MAC address of a computer and even the O.S. serial number, it’s by no means a complete way to be annon online.

Fact: A proxy doesn’t have to mask an address – it can work transparently. But, you feel free to keep trying to explain stuff to me that I’m way ahead of you on.

I never said it stopped anyone from seeing you visit a website via the proxy – simply that the use of a proxy (or any other network device) cannot allow a third party to looking inside the encrypted HTTPS session, thus removing any conclusive proof that a user sent particular data.

creative_canberran said :

Fact: You’re confusing the national-security clearance ratings with the non-national-security ratings. Security-in-confidence, department-in-confidence, cabinet-in-confidence and so on, you’ll find those on internet connected terminals.

Once you get into C, S, TS and materials beyond TS (yes, there’s stuff beyond TS which one lecturer indicated requires special, limited access rooms) for people with TS-PV rated staff, the measures are different.

I can’t decide – are you confused, or agreeing with me?

Also, you didn’t mention Restricted – at which, funnily enough, there exists Internet connected networks.

A read of the ISM would fill out your simplified view of the physical and logical requirements of the various security levels.

LSWCHP said :

creative_canberran said :

Once you get into C, S, TS and materials beyond TS (yes, there’s stuff beyond TS which one lecturer indicated requires special, limited access rooms) for people with TS-PV rated staff, the measures are different.

That would be AUSTEO material and a SCIF (http://en.wikipedia.org/wiki/Sensitive_Compartmented_Information_Facility)

Indeed, the measures are different.

You would right about SCIF, or whatever they call it in Australia. I don’t know specifics.

AUSTEO on the other hand and the other “eyes” labels on documents can be a very high rating, but curiously, it can be used on documents of lower classifications. Like this DFAT document to then foreign Minister Downer which was marked AUSTEO but only classified as SECRET. http://www.ag.gov.au/www/inquiry/offi.nsf/indexes/images/DFT.0007.0220.pdf

(Don’t worry, JB, this document won’t turn you into the next Jullian Assange. It’s evidence from the Attorney General’s Dept. inquiry into AWB made public on their website.)

Indeed AUSTEO materials are even shared on occasion: http://www.abc.net.au/7.30/stories/s219320.htm

And it’s a little known fact in the foreign affairs community that at times, when discussions or info needs communicating between countries… sometimes it’s not diplomats sent to do it, given those in the intelligence community tend to be better at talking with one another than actual diplomats.

And while I’m dredging up academic trivia on Australia’s intelligence community. Here’s a great one: The original document establishing DSD, it’s role and charter essentially, has only ever been viewed by a handful of people. Most of the time, the minister for that portfolio will never see it, nor the AG. Makes you wonder just how much autonomy they have?

creative_canberran said :

Once you get into C, S, TS and materials beyond TS (yes, there’s stuff beyond TS which one lecturer indicated requires special, limited access rooms) for people with TS-PV rated staff, the measures are different.

That would be AUSTEO material and a SCIF (http://en.wikipedia.org/wiki/Sensitive_Compartmented_Information_Facility)

Indeed, the measures are different.

vg said :

“If documents are classified, they’re on a separate system that doesn’t have internet.”

Rubbish

Agreed. The ISM even describes the measures needed in order to allow this to happen.

“If documents are classified, they’re on a separate system that doesn’t have internet.”

Rubbish

I think it may depend on the job you’re doing, the network you’re on and if you have access to any classified material.

The last two government projects I’ve worked on have been ‘open source’ and with a corresponding agency in another country. Day 1 tasks for new starters include ‘get a google account’, because all the project material is on google code and google docs.

So for codecutters on a dev network without access to secrets of the realm, the risk of inappropriate disclosure are nil. And obviously that’s been accepted by someone.

Grrrr said :

creative_canberran said :

Conversely, with the resources DSD would have, one has to wonder why they wouldn’t want webmail on computers given the opportunity it would provide to identify leakers. Put digital watermarks in sensitive documents, track the traffic through the departmental servers and surely they could turn it into a counter-leaking system.

No – webmail means the documents don’t go through the department’s servers. Unless perhaps you count a web proxy server – and even then, webmail is encryped (HTTPS) so the administrators wouldn’t be able to see what was sent. I know the headline is rhetorical – perhaps even facetious – but there’s a million ways to leak, and no way to stop a determined leaker.

Some people here don’t seem to understand Classification of documents. More or less every document is classified – at one of a number of levels. A network classified at Security-In-Confidence (and containing documents at that level) may well be allowed access the Internet. Perhaps as a matter of policy webmail is not allowed in some departments, but it is impossible to block every webmail site on the Internet without using whitelisting.

Best check you’re facts.

Fact: All access through public service computers to the internet is through Government DNS servers, owned by the government and operated under contract; which control traffic, log on and privileges. Same for ACT Government computers. They’re all on their own intranet which then has a facility to go through to the internet.

Fact: Only the log in screen for most webmail services is encrypted. If you log in to Hotmail right now, you’ll see the HTTPS replaced with HTTP once you log in. Further, the actual email once sent wouldn’t be encrypted anyway unless you manually assigned a Digital Certificate to it. Meaning it leaves a record of it on every server before it reaches a destination. A typical email will exist for a time on 7 different servers.

Fact: a web proxy server is simply a way to route your connection to a website through an intermediary server that masks your IP address from the visited website’s server. It doesn’t prevent your ISP (which on a government computer is the government) from seeing that you visited that proxy. And given operating systems by default transmit little details like the MAC address of a computer and even the O.S. serial number, it’s by no means a complete way to be annon online.

Fact: You’re confusing the national-security clearance ratings with the non-national-security ratings. Security-in-confidence, department-in-confidence, cabinet-in-confidence and so on, you’ll find those on internet connected terminals.

Once you get into C, S, TS and materials beyond TS (yes, there’s stuff beyond TS which one lecturer indicated requires special, limited access rooms) for people with TS-PV rated staff, the measures are different.