As many of you may already know, the clssified hard drives that were missing at Los Alamos have been recovered from behind a copier machine. The ness article I read included this:
Can this be done?
If you access data on a hard drive, but don’t modify anything, can it be reliably determined from examination of the drive whether or not something has been copied to another medium?
I can easily envision some arrangement that can tell you whether or not a file has been accessed; but how does one determine whether or not it has been copied from examination of the drive?
Or does the statement in the article reveal the investigating agency’s inclination to assume that, if something was accessed, then it was probably copied?
I think he meant that if the files were accessed, they would be forced to assume that it was read by somebody and written down or the files were copied to another drive.
Anyway, how do you find out if the files were accessed? I thought no bits are written to the drive if you mount the drive as read-only. Do they use additional circuits to record when the drive was turned on or something?
There’s a lot of geekdom out there that I can’t address. Thoughts are:
I have applications that will modify the date on a file if it is opened, whether or not any changes are made. And some applications must be opened to access certain types of files, and they have initialization or configuration files that are modified automatically.
So, I can see how one might monitor access to a file.
But if one just flat copied the disk, I can’t easily imagine how the disk would reflect that. I’ve got to, for the moment, until a doper in the know shows up, imagine that they just assume that, if they can know it’s been accessed, it was likely copied.
Of course, we don’t know what OS or media they might be using.
-If you access data on a hard drive, but don’t modify anything, can it be reliably determined from examination of the drive whether or not something has been copied to another medium?
No.
-I can easily envision some arrangement that can tell you whether or not a file has been accessed; but how does one determine whether or not it has been copied from examination of the drive?
Can’t unless person copying was an idiot and used copied drive as boot drive and let new boot log files be written to the drive.
A couple points: Why are we assuming they are using off-the-shelf IDE or SCSI pc drives? Maybe the drives they use for top-secret storage have some type of proprietary protection.
Was there not also low-tech protection at the site such as surveillance cameras? Obviously my bank cannot have better security than Los Alamos (I hope). So, what were the closed circuit cameras doing at the time that the drives went missing?
His point was that all the discussion so far only applies to standard, off-the-shelf hard drives, like the IDE and SCSI drives used in most PCs and workstations. For those standard hard drives, it is quite possible to read them without leaving a trace, regardless of the OS used. However, Los Alamos may be using hard drives with special hardware for monitoring usage. In this case, all bets are off.
The security was probably busy fighting the wildfires that were burning down half of Los Alamos at the time. Someone took advantage of all of the chaos to get in there and steal the disks. As for exactly how it was done, the feds don’t like to talk about stuff like that. It’ll probably be years before we know exactly what happened.
Also, the drives may not have been laying around loose. If they were in a reasonably secured box, they could tell if it had been [forced] opened.
We don’t know the security level of the files. At some point, they switch to hardware based security which could let them monitor drive access. If this was the case, then the FBIs role in “determining if they were copied” would be just to witness, and document for the later trial, as the lab’s security people check the disk’s secutity device.
The really amazing thing is that (according to published reports) this info was engineering data on how to arm and disarm a large variety (and not just American) nuclear weapons and that these drives were in a bag inside an area that apparently the people were some sort of an honor system to log in and log out if materials were removed.
If this is true some heads should roll. I also agree with previous posters re asking where the cameras were. You can buy single B&W camera surveillance systems for $ 300. at Staples for God’s sake and more serious multi-camera recorded setups for (I’ll WAG 50K-150K) for a medium small secured area like that. Chump change considering the sensitivity of the info.
Just a hunch: Richardson will not be one of the front runners anymore for Gore’s designated VP slot.
I used to work behind the fence at Los Alamos and I’ve seen the vault’s entrance. It wasn’t my area, but my understanding was that, in order to enter the vault, you needed the keypad combination, plus you had to call the guard station and give the password, changed daily. Getting either incorrect would result in the Lab’s mobile SWAT team paying a visit within moments. The idea that any outsider could just saunter in and nab the drives is ludicrous.
As for “why didn’t the cameras pick up anything”: there were no cameras at LANL that I recall, at least in the secured areas. Say someone’s walking while reading a document and the camera picks it up. Now, you have a tape that must be treated as “top secret”, just like the document itself. And, in a facility where everything is on a need-to-know basis, you don’t want to have to supply guards with top clearance levels just so they can review the tapes.
Remember, this is the “government secret” mentality. If you Xerox a secret document, you must then run off three blank pages so that no trace of the original remains.
I’d just like to note that I got a big laugh out of the national news while the fires were burning; they always called it, “Los Alamos Nuclear Weapons Lab”. As if the whole place is just one big bomb factory. Wonder what they’d call Sandia…
Wow, actual first-hand knowlege of a nuke lab on the SDMB!
So, Max, do you think it was an inside job? From what I’ve heard on the news, it certainly doesn’t sound like some kind of innocent mistake. I hope the feds have been checking the one-way flights to Russia and China.
I worked in C-division, later renamed CIC-division. Specifically, CIC-4. I started out doing telecom and network installations and support, then got transferred to another supervisor who had me write a program to periodically test the internet gateway and make sure it was working. Just student stuff, really, although I did get a Q-clearance. Still, I wasn’t made privy to any big juicy secrets.
[[The security was probably busy fighting the wildfires that were burning down half of Los Alamos at the time. Someone took advantage of all of the chaos to get in there and steal the disks. As for exactly how it was done, the feds don’t like to talk about stuff like that. It’ll probably be years before we know exactly what happened.]]
The latest thinking is that these hard drives were not stolen or used for espionage. If someone had had such motives, they would have stolen other things (and apparently these two drives were identical, if I’m not mistaken). Most likely some geeky LA guy just had em offsite to do some work then quietly returned them when a fuss was made. Exactly the kind of thing I did in the fifth grade. - Jill
