1. 23
    Classified tag meta

So I have run across a few posts that get linked that contain classified materials, for people with security clearances it can actually become a job hazard to run across classified data even if it is known to be public. I’d like to see a classified tag similar to /r/netsec’s “warning: classified”. Thoughts?

  1.  

  2. 16

    A couple of quirks affect the reality of such situations:

    Non-experts, and unqualified individuals have little or no sensitivity to security classification, and might not themselves, include the tag pro-actively.

    Classification varies by jurisdiction. What’s classified to one individual might not be for the rest of the world. Does one jurisdiction matter more than another? What of jurisdictions where classification is a defacto reality for all citizens, regardless of occupation?

    If you’ve already clicked an unmarked link, the damage is done for you, and your warnings may be ignored while a tag remains absent. How much damage do others suffer, due to these kinds incidents? If many viewers suffer in aggregate, is there a saturation point, after which the tag is well understood, and special markings become irrelevant?

    Who should possess authority to tag links, ex post facto?

    How are such authorities established? Who qualifies them?

    Why is an authority aware of said classification, but unaffected by attempts to verify actual claims, when marking another submitter’s post?

    Does such a marking enable harassment, either internal or external to this website? How would we know?

    Finally, and most importantly, the Object Oriented Programming community takes classification very seriously, and claims a broad, vocal constituency within this community. This may open the tag to lengthy debates, regarding encapsulation, inheritance and polymorphism. Tread carefully in this territory.

    1. 1

      Your point about jurisdiction is interesting and valid. Classified by who? I think there’s an inherent bias on the part of the poster and many readers (myself included) that the context is “America” but that should not be implied.

      As to the OO meaning of the word, I mean, we’re all adults here, right? :) If we say “This usage of the word ‘classified’ means deemed sensitive by a government” that’s a reasonable thing to agree on, no?

      1. 1

        There was for me. I immediately looked at it from US angle. Modifying solution elsewhere would be to say classified, a dash, and country abbreviation. That’s already done in US and some allies’ classification rules.

        1. 1

          That last part about OOP is pretty much intended as a punchline, but also to draw attention to the fact that the word itself is a little vague, and requires community familiarity for its intended purpose. See also @angersock’s comment about classified ads.

          Also, that lobste.rs is more about programming than pretty much anything else, and most of us probably don’t engage with this site, as if it were some super secret, exclusive zero-day vulnerability mailing list.

          Based on that, anticipate misuse and confusion among new users, unless explicitly enabling it only as a modifier or suffix, within the context of security or a similarly related discipline.

          Something like, maybe the following are valid tags:

          security

          security:classified:united-states

          security:classified:soviet-russia

          security:classified:north-korea

          But these next few are incomplete and refused:

          classified

          united-states

          security:united-states

          united-states:security

          classified:united-states

          united-states:classified

          Eventually, another problem becomes painfully obvious: internationalization/localization. Would a North Korean individual with security clearance know to avoid a tagged post that doesn’t provide the appropriate warning written in the Korean language? Or is the tag really to draw our attention to something juicy and forbidden?

      2. 17

        I’m not comfortable adding tags to accommodate unjust policies. Should we add an “anti-Kim Jong-un” tag to accommodate North Koreans who don’t want to be prosecuted for viewing articles that speak against the supreme leader?

        The fact that this is only relevant to people with security clearance also puts severe limits on its usefulness. If you have some level of clearance, you would be more inclined to read articles about documents that you are cleared for. So “classified” wouldn’t be enough for people with security clearance to decide whether they’re allowed to read an article. You’d really need a tag for each classification level and handling caveat (SECRET, NOFORN, etc.), which is already taken care of upstream in the headers that agencies put on classified documents.

        1. 3

          Just because you’re cleared to handle SECRET information doesn’t mean you have the need to know any particular datum and, anyway, downloading or viewing any level of classified information on unclassified machines is not kosher for anyone– individual classification tags are probably not necessary.

          1. 1

            But shouldn’t you be more interested in such an article, as you have potentially more context than the general public, and it’s potentially more relevant to your life?

            1. 3

              Interest isn’t the issue. If you have a clearance and don’t have need to know, even if the information is within your level of access to classified material, you cannot legally access the material.

              1. 2

                Ah I see. So is it illegal for journalists to look at documents they receive from leakers? Or does this somehow only apply to people with some level of clearance?

                1. 3

                  It’s not that it “somehow” only applies to people with clearances. People with clearances agree, as part of getting a clearance, to only access classified information within their clearance level and for which they have need to know. This agreement is binding, and violation of it is potentially a crime. The average person has not entered into such an agreement, and more broadly it would be unreasonable and impractical for the government to try and punish all people who become privy to the contents of publicly disclosed but still classified materials.

                  1. 12

                    To be quite blunt: it’s their job to ensure this. Independent of whether we should add a tag or not, making it easier for people entering certain agreements to uphold this agreement is not the job of this website. Browse at your own risk.

                    We navigate an unlabeled world all the time, and while I’d prefer everything to have a clear label (for other reasons), suddenly making these people the special case where it’s absolutely necessary is odd to me.

                    1. 3

                      making it easier for people entering certain agreements to uphold this agreement is not the job of this website. Browse at your own risk.

                      Its just a tag. You are making it out to be something that is lots of work for little reward, but it is exactly the opposite, it wouldn’t take much work to add a tag and it helps lots of people to protect their jobs and prevent accidentally becoming a criminal.

                      1. 2

                        “helps lots of people to protect their jobs and prevent accidentally becoming a criminal.”

                        To help lots of people with clearances clicking links on an obscure forum known to contain illegal releases of classified information and frequented by self-reported hackers. That sounds bad enough for a warrant already. Then, they are possibly in the NSA collection system the moment they open the front page in a scenario like that due to 3 degrees policy depending on if a monitored person replies to thread. With that backdrop, I’m surprised they’d even connect to the site at all without anonymity tools or using a shared access point (library or wifi) for deniability.

                      2. 3

                        I can appreciate the point you’re making here. The number of Lobste.rs readers who would care about such a tag as a means of protecting their jobs is likely small. OTOH, it would serve as an interesting data point for those of us who DO NOT have such jobs and might want to read such articles, and I suspect that audience might be larger.

                        1. 2

                          I’m not saying otherwise. I was simply explaining the legal issues underpinning the ability of people with clearances to read publicly available but still classified material.

                        2. 1

                          I don’t understand your first sentence, which seems to contradict the rest of your comment, but thanks for the info.

                          1. 1

                            I meant that saying “somehow” makes it sound strange and nefarious, and I wanted to disagree with that connotation.

                      3. 1

                        This is correct. It was explained to me that the clearance is a vetting process saying you potentially could access something at that level. The specific things that you can access are what you need access to.

                        Then there’s extra complexity once we go into ownership (did they authorize officially?), SCI, and SAP’s. Basic concepts of clearance, compartments, and need to know cover vast majority of situations, though.

                  2. 2

                    With respect, are you qualified to judge what is just and what is not in absolute terms? What if the people who work in such jobs consider themselves to in fact be just in their actions?

                    1. 2

                      Nobody is qualified to judge what is just in absolute terms, but that’s no reason to give up all conception of justice. And to be clear I am saying the policies are unjust, not actions of the individuals who work under those policies.

                      1. 1

                        Are they? You’re a government. Your goal is to protect your people and further your goals, economic and social.

                        You come to realize that there are certain pieces of information which, if they got into the wrong hands, could hurt you (again ‘you’ here being the nation in questioon).

                        So, you define certain sets of people who can see certain things. Now, I realize, for hard core “all information wants to be free” types, this is a ring zero violation right here. However, for the purpose of this discussion let’s say that not everyone agrees with this as an absolute.

                        You need to define rules to keep the wrong people from seeing critical information, including penalties to keep these rules from being patently ignored.

                        What is inherently unjust about the above scenario? The right of a nation to protect its secrets? Or the idea that said nation can legislate what information its employees can or can’t consume? Note that getting a job with clearance is a choice. It’s a voluntary obligation people are putting themselves under.

                        1. 2

                          Or the idea that said nation can legislate what information its employees can or can’t consume?

                          This would be what I feel is unjust. In particular, when this information is public, it prevents said employees from being informed and engaged citizens. The fact that their employment is voluntary doesn’t make a difference to me - indentured servitude is unjust even if it’s the result of a voluntary agreement.

                          1. 1

                            That is an interesting conundrum, and maybe there’s some room there for reform in the intelligence community.

                          2. 2

                            That scenario you gave is not how the classification systems actually work. They’re a combo of that with political moves and crimes covered up by the classification. In the US, classification of criminal acts isn’t even legal but they do it & punish leakers anyway. Much of defense activity is also driven by corruption where military and politicians get money from contractors plus politicians get votes or jobs in their districts. The possibly-classified justification for or performance of those programs would be lies to justify profiteering on wasted tax dollars. Trailblazer was a recent example.

                            So, these things are what we need to consider if assessing how just or unjust a classification system is. The U.S.’s is a mixed bag of just classifications, unnecessary classifications (“overclassification”), underperforming in declassification (FOIA), and hiding criminal activity. Definitely needs a ton of reform.

                            Although, the Jason Society did a proposal for a replacement system that sounded good, too. So, reform or replace.

                    2. 21

                      Seems like a perfectly reasonable request to me. I’m all for it.

                      1. 16

                        So follow this thought chain…

                        …a leaker only leaks classified information (under a well demonstrated threat of dire consequences, both legal and extra-legal) because he / she honestly believes that the source organization is engaging in extremely unethical behaviour.

                        …so obviously the main reason why such an organization would not countenance it’s employees reading such material is because it wishes to retain the loyalty of it’s employees despite it’s unethical behaviour. (Otherwise reading such material would be of no consequence)

                        …so by enabling employees to retain “plausible deniability” of unethical behaviour you contribute to the maintaining the unethical behaviour of these organizations….

                        …meaning you are behaving unethically by your response.

                        If I seem somewhat heated in my disgust for this behaviour…. it’s because I saw it many times in the Bad Old Days of South African Apartheid.

                        When at last the whole truth emerged, an African person asked me, “How can all these white people claim ignorance of the all the murder and torture that were going on?”

                        After deep thought I replied, “By virtue of a carefully maintained ignorance.”

                        When I see a response such as yours, I say to myself, “Another one carefully maintaining his ignorance, by refusing to look, by refusing to read, by refusing to listen.”

                        So look, listen, read…. if they are indeed doing nothing wrong, you will emerge stronger in your support for these organizations.

                        1. 5

                          …a leaker only leaks classified information (under a well demonstrated threat of dire consequences, both legal and extra-legal) because he / she honestly believes that the source organization is engaging in extremely unethical behaviour.

                          If you believe that’s the only reason leaks ever happen, I’ve got a bridge to sell you.

                          …so obviously the main reason why such an organization would not countenance it’s employees reading such material is because it wishes to retain the loyalty of it’s employees despite it’s unethical behaviour. (Otherwise reading such material would be of no consequence)

                          That’s a side effect. The rules are written simply for enforcability: classified information is classified, there is no exception for when it’s been leaked.

                          1. 2

                            If you believe that’s the only reason leaks ever happen

                            Oh I know, I am dead sure there are many “leaks” that aren’t leaks at all…. Some are plain lies, some are “press releases with extra sauce”.

                            The first law of war is that long before the first bullet flies, both sides are lying.

                            But either way it’s information that other people have and you don’t. So make up your mind about the veracity.

                            Make up your own mind about the ethics.

                            Don’t be wilfully blind.

                          2. 2

                            That’s moral calculus that may be perfectly fine to apply in your case. What if as a for-instance someone working in a high clearance job believes that the good they are doing by virtue of this work outweighs the risks you outline? Do they not have that right to make their own judgements?

                            1. 2

                              Only if they are informed..

                              Yes, I knew quite a few people deep in the old South African military/industrials….

                              It was terribly easy for them to make the judgement that they were doing Good…. society and their bosses told them so, and they never looked (or were allowed to look) at anything saying otherwise.

                              If they looked intently and with an open mind at both sides…. I respect their judgement.

                              If they refuse to look and block from their minds all evidence that is uncomfortable, they earn my contempt. (No matter which side they are on.)

                              This “classified” tag is contemptible.

                          3. -1

                            agreed

                          4. 8

                            Ah, interesting edge-case!

                            Maybe something a little more descriptive than classified? My first thought when I clicked on this was “oh great somebody wants to sell reused lobsters or something”.

                            badthink? job-hazard? knowledge hazard? sensitive-information?

                            1. 9

                              I agree.

                              Plus, one nice thing about lobsters is that it’s an international community. Let’s not go ahead and have US-centric tags like that.

                              A sensitive tag might be ok.

                              1. 4

                                I like the intent, but trying to actually think up a better word quickly heads into the weeds.

                                Maybe clearance-hazard?

                                1. 5

                                  classified-information sounds recognizably straightforward.

                                  1. 3

                                    Better but still big. Maybe classified-info. I’d be surprised if it even matters on this site, though.

                                    1. 2

                                      I wouldn’t be opposed to badthink, still seems superfluous though.

                                      1. 2

                                        You mean crimethink? Nice. We let them have a tag to help them but they get reminded of the tyranny they work under every time they use it or see it.

                                        1. 2

                                          Ah yes I guess it was crimethink. Another alternative would be a “leaks” tag, which would be less useful for people trying to avoid viewing forbidden content, but more useful for civilian users who are interested in leaks. And people who don’t want to see anything that some authority may not want them to see could still filter it out.

                                2. 1

                                  Honestly I’m not sure being super descriptive is necessary or helpful. I think that sensitive is perfectly reasonable. badthink is humorous, but may not be obvious to find in the tags.

                                3. 8

                                  This was going to be a reply to a comment but Im making it to OP. The labels at the top of the papers, on the files, on the packets, and so on are required by DOD policy to make classified info identifiable. That was mandated under TCSEC B1 class and above as a requirement of operating systems. Compartmented Mode Workstations (CMW’s) like Trusted Solaris or Argus Pitbull are examples from industry.

                                  Now, the overall industry and web don’t comply with that obviously. However, the leaked documents themselves are usually marked properly and clickbait titles almost always indicate it’s a leak or classified. Still easy to avoid without an OS supporting labelling or Lobsters tag. I almost always know when Im going to see classified info.

                                  Matter of fact, why the hell aren’t people that worried about it using disposable machines or DOD-certified virtualization (eg GD’s HAP or Dell SCS w/ INTEGRITY-178B) to access unknown content so they can easily remove accidental downloads within policy? Shouldn’t be our burden if solutions exist. Those clearances usually come with extra cash. Buy a laptop or desktop like I just mentioned. Surf untrusted sources in an Internet VM with only vetted stuff going to desktop VM. Don’t put anything illegal in it. Best case you just delete and/or restore the Internet VM. Worst being you tell those that show up it was an accident, you deleted it the moment you saw the labels, let them search both VM’s (net one is clean from backup), and they don’t prosecute… probably. That’s how I’d do it.

                                  http://www.integrityglobalsecurity.com/pages/solutions.html

                                  https://gdmissionsystems.com/cyber/products/trusted-computing-cross-domain/trusted-multilevel-computing-solution/

                                  Note: Not endorsing their security. Just saying the government has certified them for multi-level operations with these specific products allowing cleanest solution (VM’s). Trusted OS’s with file-based MAC might leave stuff lying around or be less believable.

                                  1. 2

                                    I am quite familiar with all of those things (minus the DOD-certified virtualization, that will make for some good reading, thanks!), but this tag suggestion wasn’t about HA and labels, it’s more for the readers who might stumble into links without realizing it contained classified data that was leaked. Nothing protects against that for them, other than just being polite.

                                    1. 4

                                      I see where you’re coming from. Thing is, almost no site does that. Plus, even on a site like that, someone might post something without the tag. So, they can’t operate with the expectation that the site will. We’re right back to them using due diligence plus ensuring separation and quick deletion of classified material. I mean, it won’t bother me if Lobsters adds the tag. I’m just saying the impact is incredibly tiny cuz Lobsters is tiny and likely without many doing classified work. Plus they need their own solution anyway so why not rely on it.

                                      1. 1

                                        I mean, would you also argue that putting “nsfw” next to links is useless because “some people might not use it” ? That seems ridiculous. As more people use the classified tag, more people see it exists and learn to use it, it self propagates, becomes a part of how you mark links and a part of online culture. You guys are all acting like a simple tag is the end of damn world. Its a courtesy and I don’t see how having it could possibly cause harm, vs not having it which obviously can cause harm.

                                        1. 2

                                          “That seems ridiculous”

                                          Your example is a corporate policy. Mine is DOD policy, federal law, and possible prosecution under Espionage Act. There’s a world of difference. The consequences are so severe and witch hunts increasingly common that a rational person with a clearance would address the risk themselves as I described. People can help them but that’s a supplement that’s not even necessary with my solution.

                                          Re propagation

                                          You’re saying that on a forum with tiny number of users, even less comments, and many comments getting no vote or reply (low active participation). This isn’t the place to “propagate” anything into mass adoption outside maybe the forum software itself. Even it is wisely on GitHub which is normally necessary these days for getting source remixed. Your point would make good sense if it was about “classified” warning on Reddit, Facebook, Twitter, or some other massively-popular, trend-setting service.

                                          1. 2

                                            As more people use the classified tag, more people see it exists and learn to use it, it self propagates, becomes a part of how you mark links and a part of online culture.

                                            This is a worst-case scenario IMO, as it would reduce plausible deniability for government employees who wish to be informed citizens despite their employers’ forbiddance.

                                    2. 24

                                      Why should we bow ourselves to servants of the warfare syndicate?

                                      1. 9

                                        Adding a tag isn’t bowing to anyone, if anything it makes it easier to subscribe to all the leaks you want.

                                        1. 3

                                          That’s a great point. Never crossed my mind. If it was widespread, a leak aggregator could even pull them from many sources.

                                        2. 7

                                          Because I’ve got -3 troll‘d – well, dear downvoters: I’m not trolling, I really believe people who take part in the war crime syndicate should not be catered to, but ostracized.

                                          1. 5

                                            Those downvotes have nothing to do with your internal motivations and everything to do with the very low chance a worthwhile conversation can start from your generalization.

                                        3. 5

                                          Hi poptart, would you classify yourself as a public servant? If so, can you explain how that jives with not being allowed to read / comprehend material that is available to the public, and more importantly, perhaps very relevant to your work?

                                          Edit: another question: would it make sense, similar to NDAs, that once confidential material is leaked to the public through no fault of your own, it is no longer confidential by definition, and therefore can be discussed by people who would otherwise be prevented (because of an NDA / clearance)?

                                          1. 4

                                            I’m no lawyer, but I think the gov’s position on classified material is that it never “becomes public”, even when it de facto does, and anyone obtaining it, transmitting it, or just holding on to it is potentially covered by the Espionage Act. Realistically, the damage should be nullified by the fact that the cat is out of the bag, but this is federal criminal law, so reality carries very little weight.

                                            1. 4

                                              That position seems clearly nonsensical. Therefore there is no sense in supporting it.

                                              We are not slaves, we are not drones or zombies either. We are human beings who know better thanks to historical events like the Holocaust, that “just following orders” of the clearly invalid and harmful kind, is wrong. And we do not need lawyers to tell us that.

                                              1. 1

                                                “Following orders” in the genocidal sense is probably on a different moral spectrum than “following orders” in the “not reading Wikileaks release” sense.

                                                More seriously, though, it is not purely in itself hypocritical to participate in a system while being against parts of it. I think university should be free, but I still paid for it. I hope enough people can commit the energy to get classification rules changed for the absurd situation for widely publicized information. Even if they want to keep classification in general.

                                                1. 4

                                                  “Following orders” in the genocidal sense is probably on a different moral spectrum than “following orders” in the “not reading Wikileaks release” sense.

                                                  And if those leaks are exactly about genocide?

                                                  There are many who allege/claim that many high-ranking Nazis were not well informed about what was going on in the concentration camps.

                                                2. 1

                                                  We are human beings who know better thanks to historical events like the Holocaust, that “just following orders” of the clearly invalid and harmful kind, is wrong. And we do not need lawyers to tell us that.

                                                  I don’t really know an elaborate answer to that, except that I feel that the learnings from the Shoa had a very short half-life time. I don’t agree with that blanket statement at all.

                                                  1. 1

                                                    I don’t agree with that blanket statement at all.

                                                    You don’t agree that we’re humans? Or you don’t agree that “just following orders” that are clearly harmful is wrong? Or you think we need to rely on lawyers to understand that?

                                                  2. 0

                                                    In a wider and more cynical sense, I don’t think we’ve fundamentally moved past ‘just following orders’. A large portion of my past and yearly military training was dedicated to reiterating that if you follow illegal orders you can be tried in a military court for the consequences. The same with mishandling classified information.

                                                    This is speculation, but I suspect that the USG is concerned here with young, freshly minted employees and contractors coming into contact with classified information they aren’t approved to handle. Both to prevent having to scrub unclassified machines and workspaces of nominally classified materials and to prevent people from forming conclusions based on data they cannot obtain the context for and shouldn’t have known about in the first place. Couple that with the sheer bureaucratic size of our government and there’s not much room for nuance. “Don’t look at, download, or come into contact with classified materials that you or your system are not cleared for” is a simple rule to follow and enforce.

                                                    1. 1

                                                      Simple to follow? How does one identify which things are classified and not to be looked at, without first looking at them?

                                                      1. 2

                                                        People with security clearances are trained on recognizing classified material. Usually a classification is printed on the outside and top of each page/slide so uncleared people quickly recognize it. It’s harder with the leaked news, but luckily there is a thrilling bureaucratic process to report that one accidentally saw classified material one wasn’t cleared for. (Spoiler alert: it’s not at all thrilling.)

                                                        1. 2

                                                          Maybe a classified-info tag? :P

                                                          Less cheeky, there’s generally leeway for honest mistakes in addition to reporting channels (if you care enough). Visiting wikileaks: probably bad, probably blocked. Something published by a news outlet? Often indicated through headlines and slugs, general advisement tends to be “be careful of these links and also remember to protect classified information”.

                                                          1. 3

                                                            Indeed, but there isn’t a “classified-info” tag for the entire Internet, and “classified” isn’t precise enough to tell you whether you have adequate clearance to click the link anyways. So I feel that this tag request is a bit off the mark.

                                                            If government employees really do want to be subordinated to their employer, they should do something client side to block web pages according to their clearance level. The best solution of course would be to use Tor, so they don’t feel pressure to obey unjust policies.

                                                            1. 2

                                                              This is exactly what it is and you nailed the “still classified even if it’s public”. This is why you will never see a public servant talk about classified data leaks under almost any situation, they are still classified. It’s quite cumbersome and not oriented towards a tech driven world, but what it is is protections for the readers not for the government entities themselves.

                                                      2. 2

                                                        Regardless of how much sense it makes, you correctly summarized the government’s position.

                                                      3. 3

                                                        First off, I’m not a public servant. Never have been. But, I do work with people who are and this is a thing that has come up in conversations multiple times and they have all stated how much they appreciate the netsec reddit communities tags. I personally thought it might be useful to have here. hobbified is correct, classified information that is public knowledge is still classified. I can’t justify that and think it’s crazy, but it is a holdover from times before the internet I suspect.

                                                        1. 2

                                                          So is there anyone here who would actually use the tag?

                                                          1. 3

                                                            Yup.

                                                            On absolutely everything.

                                                            It would act as a “push” filter to remove Apparatchiks from the conversation.

                                                      4. 8

                                                        Personally, I cannot even begin to comprehend the mentally that this request illustrates.

                                                        It is bizarre and kafkaesque beyond belief.

                                                        But Ok.

                                                        If you insist.

                                                        You should be able to opt in to hide information about yourself from yourself…. and all links to classified material should be replaced by links to this video. https://www.youtube.com/watch?v=hn1VxaMEjRU