« Matthew just told me to go fetch his lunch | Main | Tublecane »

This is unbelievable

I am flabbergasted.

As I mentioned in a previous journal entry or two, I am in the process of filling out a background check for the re-upping of my "Secret" DoD clearance. This is a periodic and normal thing.

I downloaded the software from their web site (which had strong encryption export control warnings all over it), and filled out all the questions. At the end, it spits out a .zdb file.

Here's the part that astounds me: they tell me to e-mail this file to them.
They claim that this file is encrypted and it's safe to e-mail (I even spoke to two different people on the phone who claimed that the .zdb file is encrypted). However, there are some major flaws with this claim:

  • The very same web site that allowed me to download the "user" version of the software also had the "security manager" version of the software. This version decrypts .zdb files. So just anyone in the world can download the decrypting software and compromise my .zdb file.

  • I copied my .zdb file to my linux box and ran "file" on it. It said that it was a ZIP file. No way... Yes way. I extracted all the files in it and was horrified to see my social security number in plain text in multiple files. Some parts of the files actually did appear to be encrypted, but if just anyone can download the security manager version of the software, what does that matter?

The best part of this is the two agencies who are running this show. Their names are: "Defense Security Service" and "Security and Counterintelligence Management Office". You would think that with names like this, they would have a clue about data security.

And they wonder why people are talking about a digital Pearl Harbor...

Comments (1)

terhas:

how do i copy a zdb file to a linux box and run “file” on it?
i am essentialy trying to print a .zdb file and dont know how to do it?
thanks

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

About

This page contains a single entry from the blog posted on April 5, 2001 1:05 AM.

The previous post in this blog was Matthew just told me to go fetch his lunch.

The next post in this blog is Tublecane.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.34