> It is not entirely clear why or how this information became publicly searchable. Quizlet’s website states that all flashcards are set to public visibility by default — users can then change privacy if they choose.
Just a sign of how deeply flawed the base of our thinking about information is these days. Everything is public by default, in part because of the warped Google/Facebook worldview has been drilled into us by the likes of Schmidt and Zuckerberg.
Although I've never really used it, I always conceptually preferred the Twitter everything-is-public model over the Facebook faux-privacy model. For two reasons:
1. It's more honest. With Facebook, you are given the illusion of sharing information only with your friends, but it's actually ...with your friends, and Facebook, and anyone Facebook chooses to share it with. Cambridge Analytica being the highest profile example. When you tweet, the expectation is that whatever you said is now On The Internet, a matter of permanent record.
2. It opposes the network effect. Twitter doesn't force me to create an account in order to view a tweet. Or, from the other perspective, if I post on Twitter, I'm not requiring anyone who wants to read my stuff to sign up as well. It's closer to a microblogging platform.
The only use-case I've found for which the public newsfeed feature is, in fact, a feature, is gambling pools where not everyone necessarily knows everyone else well enough to have contact info. Keeps the ledger viewable by everyone, keeps everyone honest (they just have to be careful not to mention that it's for gambling, in the memo).
Seeing it used that way was a real "a ha!" moment. I'd love to know what Venmo's activity looks like around the time that people are putting together or paying out office sports brackets and such.
Which is why I always make a junk message of the payment description. "artisinal rat sausage", "home run Derby entry fee", "sausage gravy slurpee", etc
I don't think anyone is looking over $35 venmo payments and denying your mortgage application because you sent someone a payment for "vegan beard & motor oil"
That depends on their mood, really. It's why one of the commonly given advice for people planning a mortgage is to stop with stupid transfer titles. Also, the bank has plenty of options to make you miserable, other than outright denying you a loan. They can make it take longer, or give you worse options than you'd get otherwise.
In your first transaction, you just set it to private so only you and the recipient (and Venmo and whatever gov't agency) can only see the memo line. The amount is always private. The setting sticks after that so you don't ever need to change it again.
No fucking clue. Some people like to leave jokey memo lines but I'm glad none of my friends have done something like that outside of the "friends only" option. I just say what it's for or give it a generic name like "money" or "here you go".
Everytime I login, I'm in aww that people do not care about these transactions being public. I see people admitting to drug deals, potential cheating, etc. on a regular basis.
Shouldn't we just assume that anything we upload to the cloud could be made public? Either through a hack, an employee, a misconfiguration, etc. If something is sensitive enough that you don't want it public it probably shouldn't be in the cloud, period. Regardless of what the default visibility is.
e: On second thought there probably are exceptions - I'm not worried that something backed up to Backblaze will be leaked, for example. But a random flash card app? I'd assume that info is public. Maybe I'm just paranoid.
I am no security professional, but from what I have read, probably.
This is why it's important for things like password managers, personal documents, etc. to be encrypted client side if backed up or hosted somewhere on another machine that isn't yours.
A good line that I've seen people use on this forum: "the cloud is just somebody else's computer".
[Dr Jeffrey Lewis] added that “secrecy about US nuclear weapons deployments in Europe does not exist to protect the weapons from terrorists, but only to protect politicians and military leaders from having to answer tough questions about whether NATO’s nuclear-sharing arrangements still make sense today. This is yet one more warning that these weapons are not secure.”
*[Hans Kristenssen, director of the Nuclear Information Project at the Federation of American Scientists] added: “There are so many fingerprints that give away where the nuclear weapons are that it serves no military or safety purpose to try to keep it secret. Safety is accomplished by effective security, not secrecy. Granted, there may be specific operational and security details that need to be kept secret, but the presence of nuclear weapons does not. The real purpose of secrecy is to avoid a contentious public debate in countries where nuclear weapons are not popular.”
>Safety is accomplished by effective security, not secrecy.
This seems to depend on your threat model. Two threat models were explicitly mentioned here - terrorists, and contentious public debate.
But it seems a third threat model, and the most important one given that nukes are anti-nation-state weapons, is to prevent nation state adversaries from knowing with certainty the location of those nukes. In which case, secrecy is still a necessary component of nuclear safety, or more specifically, deterrent effectiveness.
I'd imagine it's more of a defense in depth approach. Why do your adversary's work for them? Unsophisticated adversaries (ie. random anti-nuclear agitators) might be dissuaded entirely due to the lack of information, and even sophisticated adversaries would have to take time and effort to verify those fingerprints and make sure they have the right spot. Unless there's a compelling reason to make the information public, I don't see why they would.
And let's hope it stays that way, because it's the one thing that's keeping the world from going up in flames.
If I were the supreme commander of a nuclear power, I wouldn't even want to know where the enemy subs are. I'd make sure the military isn't trying too hard to find them. That's because A in MAD stands for "assured". Nuke-carriyng submarines are often billed as first-strike weapons, but arguably their main role is being a backup - an assurance that, no matter how effective your first strike is, you are going to be glassed in retaliation. So, your submarines check the enemy, enemy submarines check you, and the standoff continues.
If you can credibly threaten to detect enemy nuclear-armed submarines, then the enemy has a strong incentive to launch a first strike immediately, before you've completely neutered their subs.
I have long noticed that Quizlet is a repository for a lot of information that shouldn't be online... from test answers to proprietary line-of-business stuff (ex. retail training materials) to security related stuff (security trainings, emergency response codes). But I would have thought the military would be smart enough not to use it (at all--private or public, it is not in any way designed to handle classified or FOUO data).
I doubt these were official DoD flashcard decks. They were probably created individually by different soldiers/airmen to help them study for some test they had to take.
Yeah, I understand that. But I mean as members of the military who are trained and indoctrinated into OPSEC and information handling practices, I would expect them to have made a better decision.
Sites like Quizlet get used routinely to cheat on mandatory military training. Copying/pasting the exact text of a test question into a Google search usually turns up quite a few hits of the answers.
I'm only familiar with this being used for really mundane training, so OPSEC and FOUO[1] info being posted is surprising.
[1]: For Official Use Only, which was recently changed to CUI (Controlled Unclassified Information).
It seems like a lot of them contain largely public info from unclassified manuals, but also have a few base-specific things thrown in that cause the problem.
For example [1] is basically a standard police academy study guide, but it also has the names of which armored car services are allowed entry to post, which parking lots are used for storage of nuclear materials during Safe Haven event, [2] has real world and exercise countersigns mixed in with non-sensitive form names and acronyms. Another one had a list of duress words (all named after spices), though it says these are changed every six months. A lot of stuff you could guess easily but still identifies weaknesses (ex. school buses can get on base with a district badge, which is nowhere near as hard to copy as a CAC). [3] has the location of a SCIF. Some other ones had room numbers of buildings containing information networking infrastructure (no public map, but googling the building number returned a picture of the facility from the architect's site).
I'm not military, so I'm curious how big of a deal this is relatively? Like is this stuff that a credible attacker could easily find out anyway or is it actually a major weakness?
Still a lot of these in Google cache...
Passwords etc. can be changed, but the protocols and the information about readiness.. oh boy... absolutely classified. Somewhere in Europe there's a number of junior officers having a very bad day.
Your link says that the AF does not have an app for this but could because they have a similar one for "aircrew MQF study."
Sounds like a post promoting the idea of having a more general purpose but secure app using the stuff they already built within the AF, rather than saying it is already widely available.
But they're probably terrible. Kind of like how at many places they'll tell you "don't use 1password, use cyberark" - leaving out the fact that what takes 0.25 seconds to do in 1password takes over a minute in cyberark.
This is crazy. How are intelligence agencies, with the amount of money and free reign they have, not monitoring the whole Internet for this kind of stuff?
Because even within intelligence agencies, knowledge is strictly controlled.
To monitor actively, you have to ask for related content. Asking about related content in a context where you have something to keep secret is an implicit acknowledgement there is something there.
It's a trick I've seen used in intelligence gathering contexts quite often. You get close to a researcher and technical expert on classified matters, then ask questions and gauge responses.
Sometimes you don't need an answer, you just need to know you're asking the right questions.
Knowledge of this practice and regular experience doing it will not make you many friends in either the intel or counter-intel dept.
t. Apparently a professional insider threat given all the DoD documentation that describes how I fix places by actually communicating with people and ensuring effective information dissemination through an organization.
Makes interviews awkward. All the periodicals in the waiting room basically explain what I do better than I can.
Many family members have been pressuring me to steer my IT/InfoSec career towards obtaining a security clearance because it is a big salary and job security booster. While I know many US Gov employees have these and do not have to work day-to-day in/on controlled security stuff, they must have had to do it for one point during their career, and I fear that I could not last through such an ordeal. The concept of not being able to collaborate with coworkers due to arbitrary security rules sounds like a disaster.
Aside from the whole grossness of working for the military-industrial complex, there is another issue for those of us who care about rigor: the whole system of clearances in the US relies heavily on the inaccurate and pseudoscientific polygraph test, which does not test or prove any measurable thing.
The interpretations of this pseudoscience can have devastating effects on your career, and not being based on facts or anything truly measurable, you have effectively zero recourse against such destruction, whether willful or otherwise, because it's elevated to the status of "evidence", simply because "the machine said it!"
What's worse is that the failings of this pseudoscientific nonsense are well known to the USG, and yet this continues for decades to be central to the system of ostensible "trust" in those who keep government secrets. It's abusive. (Imagine if your government health insurance only covered crystal healers.)
If you are already a civil servant without a clearance, getting a clearance decreases job security. It effectively nullifies your civil service protections, and allows you to be fired at will on a security pretext, with absolutely zero recourse. I worked at a navy lab for 21 years and saw this happen to colleagues who displeased their bosses.
It would be easy to crawl for this stuff imo. The technical language used for this stuff is finite and limited. Just grep the internet for phrases from their training materials, and I bet you can catch all of this.
> This is crazy. How are intelligence agencies, with the amount of money and free reign they have, not monitoring the whole Internet for this kind of stuff?
How do you know they aren't? They're probably focused on adversary nations, though.
> Some flashcards uncovered during the course of this investigation had been publicly visible online as far back as 2013. Other sets detailed processes that were being learned by users until at least April 2021. It is not known whether secret phrases, protocols or other security practices have been altered since then.
This speaks to a wider trend where tons of local software, especially mobile, is now assuming always-on network and syncing, transmitting data, demanding account creation/PII, and spying on your usage and memory contents (uploading crash dumps, system information, et c).
Very little software these days simply just runs locally and does the thing it's supposed to do on your own device without transmitting your private information to a datacenter (usually owned by a giant US corporation). This is a problem for all of society (especially those companies and users outside of the US), not just runners on secret bases or students in missile sites.
This is actually hilarious, alongside shocking and scary. But the hilarious part is the cool info you can get by launching benign apps. Hey our flashcard app got popular check out these nuclear weapons secrets people posted on it!
When I was dabbling in apps and mobile apps, I encountered several unintended benefits of the data I collected which had nothing to do with my original purpose or vision. This reminds me of that.
Once had a conversation with a soldier who handled IT on base. He told me that officers could and did demand that he bypass security, VPNs, etc and install software of their choice to use it on their computers. They outrank him, and "that's against policy" was not an argument. This was maybe ten years ago. Sounds like things have only got worse.
As an engineer, I got some training by legal, followed up by a high level exec explaining to us that in this context, we report only to legal and are required to say "no" to engineering leadership when something would go against legal's policies.
Also I think the military has something similar with medical officers.
> Two flashcards from the same set contain the squadron name “701 MUNSS”, and a phrase to make someone surrender weapons in Flemish, revealing that the security details in it apply to Kleine Brogel air base, Belgium.
The phrase is "Halt politie, leg uw wapens neer! Handen op."
There is no part of this sentence that would be unique to Flanders. In fact, "Handen op" is something I would expect to hear from Dutch people and never from Belgians, in Belgium it would be "Handen omhoog", but both ways the sentence is correct and would be be perfectly understood in both countries.
I'd also expect that the small inconsequential and intricate differences between the way Dutch is spoken in Belgium compared to the Netherlands are not taken into account in this context - they probably use the same for both countries, which would make sense considering it's already difficult enough. I think Bellingcat is emBellishing.
Do soldiers get regular training in IT security? I assume there’s more rigorous security training for those who handle more sensitive information.
Were soldiers sharing flash cards or were they unknowingly posted online? The selling point for some flash card apps is lots of preexisting cards to study with and presumably app users are the ones creating them. That should hint that they’re stored online.
It would be great if app stores noted network access requirements. Does an app operate standalone? Is Internet access required just for ads or also for functionality? Where is app data stored? On your phone, in personal cloud storage, in a shared storage service just for users of this app or shared to the general public?
While Apple’s app store mentions none of this, there is a link to the privacy policy for each app. I’m not familiar with Google’s app store.
I wish browser extension repositories also provided network access requirements for each add-on.
I wonder if schools still teach kids that they can make flashcards with a marker and some cardstock, without using any software at all. Or have schools all gone 'paperless' with ipads and chromebooks?
The reason people like flashcard apps is not simply because they don't want to write with pen and paper, it is 1) they like spaced-repetition algorithms and 2) if you have a set consisting of many hundreds of cards (common in language learning) it much more convenient to carry one phone around than that pocket-bursting stack of cardstock.
The act of writing the cards is part of the learning process. Every time I make a stack, I end up knowing half of it before I even start 'using' it. With software cards, this doesn't work so well. And you can always put the stack into your purse or backpack if your pockets are small. I'm sure soldiers have somewhere they can put a stack of cards.
Again, you don’t understand the value some people find in spaced-repetition algorithms. For example, in language-learning decks involving hundreds of cards, writing the cards may lead you to remember the word on a short-term basis, but you are likely to soon forget it. A flashcard app using spaced repetition will ensure that you see that card at the right intervals so that you can retain it until you definitively internalize the word from seeing it used in context in texts.
Understanding an argument and agreeing with it are not the same thing. I understand the premise and argument for spaced-repetition algorithms, but I do not agree that these algorithms provide a meaningful advantage over paper cards when you consider that paper cards must be written. The act of handwriting cards is an advantage paper cards have over software cards, which I believe more than offsets any algorithmic advantage the software cards have.
i use electronic SRS flashcard stuff, and i hand write the material onto scrap paper when i first encounter it. i don't have to worry about keeping it neat/legible, i still get the physical connection, and it doesn't take up any space after i've written it.
I'm as suspicious of USA military as any other thinking human, but let's consider TFA's source. "bellingcat" is a CIA-sponsored limited-hangout sock puppet, run by video-game enthusiasts, and that's all it has ever been. There is no reason to assume that any particular point in TFA, or TFA taken as a whole, is particularly true.
If you don't have clearance, you could verify this yourself. The info is still in search engine caches. If you do have clearance, then don't go about searching for classified info.
Occasionally salting in some verifiable bits is the "limited hangout" part. As TFA concedes, everyone who cared knew where these were already. Perhaps such people had mistakenly assumed that security was effective. At this time, there's no telling why the choice was made to disabuse the public of that notion, but that choice was not made within the bellingcat organization.
They are very open about being funded by CIA cut outs like the National Endowment for Democracy [1]. If you're not familiar with the NED then you should read William Blum's description of them [2]. Radio War Nerd recently did an excellent two part series on the NED and spent a good amount of time talking about Bellingat, too. [3]
And as to them being a "limited hangout sock puppet" you're of course not going to find any source on this - because it's not known for certain - but in my opinion they are most likely something akin to that. They frequently get leaked information from US/UK intelligence organizations and they launder stories for CIA/MI6s. They might not know they are a limited hangout sock puppet for western intelligence but they certainly function as such. A good example is their actions around the OPCW leaks and claims of chemical weapons in Douma, Syria [4]. A lot of these stories unfold on Twitter so you'll have to search around
You can also search on HN - there's comments from many years past calling out Bellingcat as a front for western intelligence.
Huh, is that "Radio War Nerd" aka War Nerd aka Gary Brecher aka John Carroll Dolan? I used to read his stuff all the time in the early aughties. It seemed like he was the one other person in the world who liked explosions and wasn't also taking crazy pills (i.e., literally the rest of the media corps).
Dolan came up with Matt Taibbi and Mark Ames in the eXile ( Moscow in the 1990s! Wow!) then did his own thing. Ames wrote `В Россию с любовью` sometime in the aughts. Taibbi we all know.
They're all still best buddies; who knows what kind of crazy stuff they got up to in 90s Moscow. Funny stuff.
With USA military and unsupervised services, the primary goal is spending money. They DGAF about security of nuclear weapons in Europe. Those in charge don't even take any particular pride in their supposed "mission". This story could be helpful if someone in Congress were balking at a costly new IT project. Or it could be something else. From some sources, the signal-to-noise ratio is infinitesimal.
Just a sign of how deeply flawed the base of our thinking about information is these days. Everything is public by default, in part because of the warped Google/Facebook worldview has been drilled into us by the likes of Schmidt and Zuckerberg.