back to article REVEALED: The gizmo leaker Snowden used to smuggle out NSA files

Whistleblower Edward Snowden apparently used a USB thumb-drive to smuggle out hundreds of top-secret documents before he blew the lid off the NSA's web-spying project PRISM. This is despite the Pentagon's clampdown on the gadgets. Unnamed officials told the Los Angeles Times that they were well on the way to figuring out which …

COMMENTS

This topic is closed for new posts.

Page:

WTF?

Root password, sure, but why wasn't the data encrypted?

I don't have problems with "lowly" sysadmins being able to move data around, add devices, etc (after all, it's part of their job) but there's no need to keep the data in a form in which those who move it around can look inside it.

Gumbyshire County Council staff failing to encrypt sensitive data is a problem, but unsurprising (they're not recruited for security-related stuff) but the CIA? WTF?

Ah, yes. Perhaps they're recruited to analyze data, not keep it secure?

7
1
Anonymous Coward

Re: Root password, sure, but why wasn't the data encrypted?

I used to work for a company that worked with classified data. The security requirements around access to Secret data on computers is largely the same as that for paper documents: a secure site, door locks, badge access, safes, etc. The PCs we used were on a self-contained network kept within one room for our project (no internet access, obviously) and the main security mechanism that the machines had removable hard disks which were counted into and out of a safe whenever you left your desk.

Encryption was only used for sending the occasional file over a secure telephone link (not attached to the network) to partner companies working on the same project. The PCs were just standard Windows PCs without disk encryption of any sort.

4
0
Silver badge

Re: Root password, sure, but why wasn't the data encrypted?

It's not even that that worries me.

Why are they using commodity systems with things like Windows on them? Why are there even USB ports PRESENT on the damn machines? Why would they even want an internal motherboard header for something like USB at all. And, where present, why isn't it completely impossible - in software - short of compromising the system to even bit-bang some pins to provide any semblance of a USB storage device to the machine.

It seems that the problem isn't rogue people - they exist and you can't stop them existing. It isn't security clearance - the people who want security clearance the most and will try the hardest to get it are those that shouldn't have it at all. It isn't the presence of auditing software that monitor keystrokes - which is all after-the-horse-has-bolted. It's the fact that it's even possible to insert, and have recognised, a bog-standard, off-the-shelf USB device that data can then be placed onto (apparently unquestioningly for a sysadmin, even though there's supposed to be a distinction between controlled data and not, and there should be LOTS of alarms going off at even the attempt to access controlled data on a machine that has a removable storage device - let alone actually allowing the copy to happen!).

You shouldn't have high-up ranks issuing orders along the lines of "don't use removable storage", it just shouldn't be possible. You're providing the kit. You're sourcing this kit for military purposes. You call the shots. And if you only want it to communicate with, say, storage devices that can only copy encrypted data in it's encrypted form (and the systems themselves have to link that with credentials / other devices enough to decrypt it), then that's what you buy and that's what you issue and it doesn't matter what Joe Bloggs brings in with him from the local Maplin's, that's all he can interface with and what he has to defeat.

Hell, the case against DRM in consumer devices is HUGE, but why aren't these military devices using TPM - or equivalent - secure-booting, authenticating all external devices, not even able to physically, logically, or "hackably" be able to provide a USB storage device on them from an unlicensed device, etc? I'm not saying you'd ever make it completely "unhackable" but nobody, nobody!, on a secure system should be able to do anything to entice it to copy controlled data onto a USB storage device that they've bought down the shops.

It's utterly ridiculous. Turing would be turning in his grave or (if the German's were doing it) extremely grateful that the enemy were that stupid.

34
8

Re: Root password, sure, but why wasn't the data encrypted?

@Lee D - computer systems in gov't organisations, even highly secretive ones, are not like those in the movies. They're basically the same as those in any large organisation. Some will be new, some will be old, some will be in dire need of replacement. They have USB ports on them for the same reasons as the PC on your desk has USB ports on it.

They run Windows because most of the time the work done on them will be done using MS Word, Excel, etc. Specialist tools will be Windows GUI based apps because the companies and engineers who develop them are good at writing Windows apps and the staff who use them know how to use Windows apps. And so on.

And the whole point of background checks, security clearences etc is that you're supposed to be able to trust people who work with such data (and are granted unsupervised physical access to it) to keep it a secret. Even without USB ports, someone who is really determined to get data out of a secure enviroment will do so one way or the other.

12
2
Anonymous Coward

Re: Root password, sure, but why wasn't the data encrypted?

Back in the mid-90s when my piece of the military was beginning to go online I found myself going constantly from machine to machine with antivirus updates on a floppy in order to cure them of the latest infection. At that time I recommended adding software at the server level to scan for such attachments and stop the problem there. I was told that it was too expensive. In the mid 2000s I recommended using software to control port access and prevent use of USB or other external media devices on military computers. Software solutions were deemed too expensive, just tell people not to do it. Basically the issue is that leadership fails to listen to the people who are closest to the problem and lacks the ability to see the consequences of that failure.

10
0

Re: Root password, sure, but why wasn't the data encrypted?

It's very easy to remove access to USB entirely, either physically or through software. What I'm more shocked about it the apparent lack of a File Access Monitor.

Surely an organisation like the CIA can afford access to even a basic one of these to report if someone is copying stuff off site? I'm not experienced in the slightest when it comes to this stuff, although I have played with a few from the big vendors in this market and they're well within the budget of US.GOV.

1
1

Re: Root password, sure, but why wasn't the data encrypted?

Find me a modern wired mouse or keyboard that is commercially available, today, that doesn't use USB. That should answer your question about why even military computers have USB ports on them.

14
0
Anonymous Coward

Re: Root password, sure, but why wasn't the data encrypted?

I work for a healthcare provider. We have software that controls your ability to WRITE to removable media. Seems like that is all you need... you can read all you want, you just can't export it.

3
0
Anonymous Coward

Re: Root password, sure, but why wasn't the data encrypted?

"Find me a modern wired mouse or keyboard that is commercially available, today, that doesn't use USB."

I work in government, and our software policy is set that USB keyboards/mice work as normal, but if you plug in a USB storage device it will only mount if it's an approved device supplied by the IT dept and you have the right software installed (which you need to have a business case for)

While it won't stop rogue admins from abusing the system, it makes it easier to track down who has access to a particular share b[]and[/b] has USB storage rights.

2
0
Silver badge

Re: Root password, sure, but why wasn't the data encrypted?

What's stopping people taking photos of the screens? There's usually a hack whatever precautions you take.

1
0
Bronze badge

Re: Root password, sure, but why wasn't the data encrypted?

Considering that the NSA happens to have produced - and even distributes to the general public - Security Enhanced Linux, a distribution of Linux which, like Multics, allows files to be labelled with a security level, and then which doesn't allow programs that can read those files to write out files labelled with any lower security level... they've got the software they need to make sure that no classified file gets written out unencrypted to a USB stick.

They're apparently just not using it.

7
0
Linux

Disable USB for mass storage ...

Add the following line to blacklist.conf

modprobe -r usb_storage

0
0
Unhappy

Re: Root password, sure, but why wasn't the data encrypted?

The type of people that join the army are generally pretty dim, a lot of them because they have no qualifications and can't get another type of job. They also usually have a power complex. Anyone I know who has joined the army has been thick as pig shit.

So, whilst you may see what needs done and have a good assessment of security, military people generally won't. Hence comments like "Ban all removable storage" from the top brass.

7
9
Facepalm

Re: Root password, sure, but why wasn't the data encrypted?

Where I used to work all of the USB ports were glued up to prevent us saving files to USB sticks..........well all of them except the one used for the mouse and keyboard. The OS even had the drivers still present.

We pointed out this stupidity and the official response was to tell us that installing a customised OS was too difficult/expensive and to issue a dire warning against using the USB port for anything other than the keyboard/mouse.

Sigh

1
0
Anonymous Coward

Re: Root password, sure, but why wasn't the data encrypted?

Sorry for being mean, but are we not back accusing the Germans for not telling the truth about Nazi Germany.

0
1

Re: Root password, sure, but why wasn't the data encrypted?

"I work in government, and our software policy is set that USB keyboards/mice work as normal, but if you plug in a USB storage device it will only mount if it's an approved device supplied by the IT dept and you have the right software installed (which you need to have a business case for)"

That's fine, until some smart-arse boots from a thumb drive/CD/DVD and simply copies the data they want using the booted OS. If they have access to a Firewire port (or even an authorised laptop with an ExpressCard slot), you may as well just give up now (DMA attacks.) Even a Bitlocker-protected system is vulnerable to a DMA or cold boot attack - so even full HDD software encryption means very little in terms of real security - it just gives the CIO a nice warm, fuzzy feeling.

(Linux at least has TRESOR and Loop-Amnesia, but Windows does not. I personally favour using HDDs that support on-controller encryption, but their added expense means that most IT departments don't bother with them.)

The recent trend of giving workers laptops, rather than desktops, only makes things worse - because laptop hardware can be tampered with out of sight. Desktops are marginally better, because anyone stupid enough to start dismantling their desktop PC in plain sight would end up being escorted off site faster than you can say "Busted!"

1
1

Re: Disable USB for mass storage ...

The elegant solution in 'nix, but anyone with root access can chg your settings too... Just like anyone on windaz can mod the registry. You can define all these controls in policy, but organised crime, hackers and those w enough balls to act to defend freedom in our not so free now (and worse to be soon) society, can still circumvent.

There is no such thing as a secure system. Private data has to be managed as private data, else it will become public. The real problem here is more about what data governments want to keep secret:

Apart from their citizen's personal information, what data should they even be allowed to keep secret and for how long- if they are doing the right thing? As they tell us they are...

The problem here is two fold; the amount of seriously bad stuff governments are doing and the amount of data theyre classifying as secret. They store most of it as secret as no one tells them not to (and they're proven to be no better at managing their data bloat than the average MOP (member of the public)... Being able to keep it secret removes a lot of the onus on them to do the right thing.

Wholesale Data Surveillance like PRISM, corporates sharing Customer activity and assigning Universal unique IDs to everyone, ISPs like Telstra storing customer usage details and comprimising their customer's private data- all of this combined with constant surveillance makes the problem exponentially worse.

Turning the Net into the world's primary surveillance system is totally unsustainable of course. But they don't care. And how will it end for us? So why accept it now? Why allow them to keep shooting the messengers and turn so many people against us when we should be using this time of prosperity and opportunity to bring Nations and people together?

Until we expect more from those who govern (and tell them so) all this will combine with population and resource challenges to end in cataclysmic permawar. Our spooks don't want this, but they don't see it either.

2
0

Re: Root password, sure, but why wasn't the data encrypted?

It's not even that or that that worries me...

More like why the hell wasn't there a slightly overweight dude wearing a size-too-small-some-shade-of-blue shirt with his ass parked on a barstool at the dang exit? You know, the guy who lives life only to harass the shit out of people, especially people who happen to live somewhere above his paygrade (everyone).

Whut's in the bag, nerd?

1
0
Anonymous Coward

Re: Root password, sure, but why wasn't the data encrypted?

"That's fine, until some smart-arse boots from a thumb drive/CD/DVD and simply copies the data they want using the booted OS."

That is where 802.1x comes into play. You can boot that OS, but the computer won't be on the network.

1
0
Silver badge

It's called COTS

In the past these organisations, just like submarines etc, used special hardware.

Then they found it was hard to keep spares and find people that knew how to service them. A submarine was stuck at Holy Loch for over a week waiting for a special computer to be built, then shipped from USA to UK. Congress would ask why the military was paying $20k for a computer that was slower than the $1k offering from the computer shop down the road.

So then they decided to go with COTS: use vanilla kit. If something breaks, nip down to the local computer shop and you're going again..... and it is way cheaper.

Cheaper is a huge factor. That give far more toys per budget.

If they nobbled all the USB ports then things like mice and keyboards would not work.

They can make rules, but those soon become ineffectual. The first time some big-wig needs to use a USB stick to copy a presentation to use on the computer conected to the projector, you're screwed.

3
0
FAIL

Re: Root password, sure, but why wasn't the data encrypted?

Software like this has no reason to be expensive, its simply overpriced.

Prevent access to USB? Just remove the USB drivers and the system will ignore the ports and only someone with suitable privileges would be able to reinstall them.

And incidentally, USB devices are used because they are most convenient, if you block USB them people who want to extract information will use other less obvious ways.

If you leave USB enabled, but keep a log of any data written to such a device then you stand a better chance of catching someone who will often just use the easiest method to extract data. If you disable USB and assume that's an end to it, then the attacker will either find a way to re-enable it (which you wont be expecting or monitoring), or find some other way to get data out which again is less likely to be noticed...

How many organisations control what you print? How many do it in a half assed way (eg your supposed to print through a printserver which logs, but its possible to connect directly to the printer which doesn't).

How many will do an adequate search to ensure you don't enter the building carrying a tiny camera, audio recording device, modem, wireless transmitter etc?

How many sites are in such locations that would make it impossible to throw something out so that it clears the perimeter fence and falls on public land where it can be collected later?

How many networks are connected to the internet and just restricted by firewalls, and how secure are these networks? In many cases its possible to get *something* out which could be used as a covert channel, and in even more cases its easily possible to compromise the local network to such a degree that you are able to modify the firewall rulesets to suit your purposes. The average windows network is horrendously insecure, and firewalls while generally much tougher unix based systems are often administered from windows workstations which sit on a trivially ownable domain, likely the same domain as end user workstations.

You are only as secure as the weakest link, and yet many organisations waste millions trying to strengthen areas that were never their weakest link in the first place.

0
1
FAIL

Re: Root password, sure, but why wasn't the data encrypted?

So you can't write to removable media?

What if you read some exploit code from the removable media, and use it to elevate your privileges such that you can disable the aforementioned software?

Also, since such software is likely a userland application rather than a kernel option, if it crashes you regain the ability to write...

1
1
Anonymous Coward

Re: Root password, sure, but why wasn't the data encrypted?

It isn't the Army, and neither the physicist nor the computer scientist I know who joined the Army were particularly dim. It tends to be "Government agencies".

Joining the actual Armed Forces can lead to a messy death, but it can also lead to an exciting career. Working for a security agency on the other hand has no such prospects. Joining the security services and working in IT must be like being down there with the helots. Are the best and brightest going to apply?

0
0
Facepalm

Re: Root password, sure, but why wasn't the data encrypted?

It is hilarious to think my girlfriend/wife porn is more secure in an AES truecrypt partition than the NSA's most torrid secrets. WTF?? They could have easily mapped a Truecrypt partition to their network which would in no way be accessible to sysadmins that have no access to the credentials. And truecrypt is free and open source ffs

0
0

Re: Root password, sure, but why wasn't the data encrypted?

You'd also need to ban access to any form of printing device - google "optar" for an example why.

0
0

Re: Root password, sure, but why wasn't the data encrypted?

Purchase Ps2 cards, mice and keyboards. Bung up usb ports with epoxy. Remove cd/dvd writers. Lock cases. Encrypt data. Encrypt data. Encrypt data.

1
0
Holmes

Re: Root password, sure, but why wasn't the data encrypted?

Some realities.

Encryption isn't a cure-all, a wand you can wave to solve problems of access to data. Firstly, encryption implies keys. If you are sending the document to thousands of people within the one organisation and the attacker is within that organisation and has sysadmin rights... how long is the key going to stay secure? This is even true for PGP -- in that case you scarf up everyone's keyrings as well as the data and attack the passwords used to secure the keyrings. Secondly, there's still nothing to stop you from copying the data (should someone appear with a key later on). Thirdly, there's nothing to prevent traffic analysis. For example, a lot of files suddenly appearing in the plans-to-attack-libya directory.

Encryption is an interesting two-edge sword. Take command-line access to a server on a secure network. Should that use SSH. Or should that be forced to use Telnet so that the exact session of the person connecting can be audited? As a result a lot of secret-level systems use less encryption mechanisms than you would expect.

Disabling USB is difficult, as you can't unilaterally disable the controller as there are interior USB buses within modern computers tying the components on the mainboard together. What you can do is to refuse to mount USB media which hasn't been authorised. That's a bespoke SELinux rule for Linux, or a software hack for Windows. Neither is supported by the operating system's manufacturer, which is an issue for large installations.

I am not saying that people shouldn't try encryption and blocking access to devices -- a low fence is still a fence. But don't be surprised by the success of an attacker with abundant inside information and access.

In this case the technology is irrelevant. Let's say both the encryption and the USB were tight. The attacker was determined to leak and would have simply chosen another path. All we can do is to force people in to technologies with higher risk, such as cameras.

In focussing on these technical matters we're also ignoring the cultural -- the "why" of leaks. When you ask an organisation to act contrary to its mission the organisation betrays the people in the organisation most motivated by its mission. Having that betrayal of the individual by the organisation repaid by betrayal of the organisation by the individual is to be expected.

2
2
Bronze badge

Re: Root password, sure, but why wasn't the data encrypted?

... but you can bet that Tommy sees!

0
0
Bronze badge

Re: Root password, sure, but why wasn't the data encrypted?

-- and only someone with suitable privileges would be able to reinstall them. --

Ah. You mean like a SYSADMIN? Oh, wait... wasn't he one?

0
0
Anonymous Coward

Re: Root password, sure, but why wasn't the data encrypted?

Its simple.

They tell the IT guy to lock down USB.

The IT guy said it was done.

1
0
WTF?

FEDELST

The practice of disabling USB, although an effective countermeasure for the protection of the casual removal of information, is merely part of the equation, and should not be the sole mode of protection from such threat. More evolved systems including data and resource access controls according to user rights and information classification levels, and intelligent data loss prevention technologies afford visibility and control to the protection of confidential data.

Eliminating the USB service reduces valuable functionality which the USB interface affords system users and admins. Technologies such as those developed by companies such as SafeEnd and Unatech afford security administrators the ability to implement USB firewalls where only registered devices, and actions can be permitted, and logged. All other actions on the USB channel are restricted and attempts are reported.

The actions of Snowden and Manning were due to a seachange in policy in US Government internal computing environment where after 9/11 everything went from 'need to know' to a 'need to share'. The US Government had determined that it was more important to have access to tools and information which could aid employees is their ability to identify threat, than lose this visibility due to restricted information access.

The failure here was clearly due to the lack of any visibility to anomalous behavior, the failure to identify and report access and downloads of volumes of data, access to information not specific to the users job function, and any reasonable level of accountability for security practices.

It is my opinion that the old 'restrict USB' ethic is dated, and by doing so complicates system administration by eliminating a valuable system resource. I say better management and monitoring is the key here. Besides, no user, with access to any secure environment should be permitted to carry any personal device capable of storing, encrypting, obfuscating or redirecting data.

0
1
Go

Re: Root password, sure, but why wasn't the data encrypted?

Data should be encrypted at the file level with user access rights assigned to only those who require access... a la PGP NetShare, as an example.

0
0

Re: Root password, sure, but why wasn't the data encrypted?

Because with Windows releases up to Server 2000 don't distinguish between actually reading a file and opening a folder. Open a folder on a Windows 2000 file server and for every file in that folder you get a read hit for the AD account that opened the folder. Also every sub-folder and every file in every sub-folder will generate a read event. So many events are generated that you need to up the hard disk requirement by 50% just to record the events, let alone attempt to generate a decent alert or two, instead of 1,000s.

0
0

Re: Root password, sure, but why wasn't the data encrypted?

They are using Windows so that the NSA can break into its secret backdoors. [ chuckle ].

0
0
Bronze badge

RE: Re: Root password, sure, but why wasn't the data encrypted?

Basically the issue is that leadership fails to listen to the people who are closest to the problem and lacks the ability to see the consequences of that failure.

What you have described sir, is better known as damagement, the bane of IT existence worldwide.

0
0
Anonymous Coward

This case asks more and more questions:

This guy was a $200k a year IT administrator, in a top secret environment, however he had a sex worker girlfriend and wasn't smart enough to check if the place he was fleeing to had an extradition treaty with the USA after he had taken data from said secret environment on a USB drive.

If I read a story like that, I wouldn't believe it. I can't imagine for a minute you'd get SC, let alone DV clearance in the UK if your girlfriend was a pole dancer. I find it very hard to believe that he could easily sidestep security in the way he apparently has and that Prism has remained secret so long. It's all very odd.

2
15
Big Brother

Dr Ruth is no stranger to friction

"Truth is stranger than fiction, because fiction has to make sense."

Could you have imagined that NASA management would have dismissed a series of concerns flagged by engineers, resulting in a Shuttle failure?

A rigged leak is presumably to misdirect (The Thumb Drive That Never Was.) Of course, if it is rigged, one possibility is that the leak is to say "The secret surveillance is X more than you thought it was", to hide that fact that it's actually X-squared more. But I think administrative idiocy is a better explanation.

5
1

<blockquote> I can't imagine for a minute you'd get SC, let alone DV clearance in the UK if your girlfriend was a pole dancer. </blockquote>

I don't see that that would be a problem. They're likelier to have a problem with your girlfriend being secretly a pole dancer --- blackmailability is the worry, not overt activities that some might disappove of.

19
0
Anonymous Coward

This case asks more and more questions:

Read elsewhere today that he had an account at ArsTechnica where at times he complained about the way the state spied on individuals and how he was going to do something about it.

0
0
Anonymous Coward

You have jumped to a few conclusions there, who knows what other data he has at this stage? It may well be in his best interest to go to HK, especially as it was mentioned in another article (on Reg I believe) he has data on the US hack attempts at Chinese civilian targets which they said they didn't do. Therefore the Chinese would be very keen on keeping him close!

Regarding UK clearance, it doesn't matter what your family members/friends do (within reason). The main priority is that you can't be blackmailed. If you're honest in your interview with your clearance officer and on your paperwork then it is generally fine! There would also be a number of factors such as, whether you or your family members have held clearance in the past and whether you have any foreign friends.

3
0
Anonymous Coward

'If I read a story like that, I wouldn't believe it'

Agree! With all the resources the NSA has, why are they outsourcing daily sysadmin work to a subcontractor? Surely this is a laughably weak point in human & systems vulnerability? I can understand where its necessary to contract out specialist work that is done in isolation from the daily work of the NSA... But access to broad systems? USB keys? Hello...? Burn After Reading (2008)...

Moreover the guy appears to have a chequered history regarding IT. He started as a security guard at the NSA??? Now a few years later he's making 200k or 130k depending on who you believe. If he was working on a trading desk at 29 with a mystery past I'd say that sounds right! But NSA security? This is the best the NSA can get? His story sounds more like Gary McKinnon than White-Hat pro...

2
0
Anonymous Coward

Could there be a downside to issuing clearances by the million and outsourcing the background investigations?

1
0
Silver badge

Re: 'If I read a story like that, I wouldn't believe it'

Within the current government it is en vogue to reduce agency head counts. Even if it actually cost more to outsource the job (almost always does) they have a mandate to reduce staffing levels. It's all a rather silly trick.

9
0
Anonymous Coward

What you're saying is, like Manning, this guy should not have had a security clearance. And you're right.

And once again, the name "Obama" appears nowhere in the article.

1
11
Anonymous Coward

Just re-read my post: What I was trying to say was not that I didn't believe the story, just that it shows a shocking lack of competence on behalf of that NSA, it's like they wanted everyone to know about Prism. I used to work in a bank and our offices had more strict security than seems to have been the case at the NSA. ie: VMs for workstations where possible, where not if you put a USB stick in it was immediately encrypted so even if you did take it out of the company the data on it would be useless.

0
0
Anonymous Coward

Yes, the name Obama should be all over this article, if he can't be arsed to personally do all the checking for every security clearance it's his fault. It's not as if he has anything else to do is it? Oh, wait...

20
2

Pole Dancer <> Sex worker

12
1

Please, blighty, take these tea partiers back.

I'm a coffee addict myself, so I don't fully understand this infatuation with TEA(Tobacco Everywhere Always?), so forgive me if I offend your national beverage. But it just so happens that in the USofA we are being annoyed by a small group of tea drinkers that probably would be much happier somewhere else. Well, I know we would be much happier if they were somewhere else. So, how about it, your majesties? Do us a solid, for old times sake? Offer them all the tea they can drink and get them out of our hair. Thanks

2
1
Anonymous Coward

Firstly, pole dancers are *NOT* all sex workers, some may be sex workers as well as pole dancers though in the same way that the receptionist or cleaner or even your manager may be a sex worker.

Second misconception, security vetting has nothing to to with (at certain levels) what you get up to within the law, it's about how honest you are and all about how susceptible to temptation/blackmail/coercion. If you're open about your proclivities during the process then you've demonstrated you're not a risk.

2
0
Anonymous Coward

Actually a pole dancer is a sex worker, that is not however to say that a pole dancer, or indeed most sex workers are prostitutes. A pole dancer uses her (his maybe as well) body to titillate sexually. If they aren't sex workers, why are the clubs pretty much exclusively frequented by men and the pole dancers are as far as I can tell only women?

Also vetting is very much about what you get up to within the law (amongst other things) for example, if I were having an affair, this would be perfectly legal but would pretty much exclude me from all security vetted positions. Were I into something perfectly legal, but unusual such as poly, where all parties are aware of what's going on, again that would exclude me from pretty much any role. Were I a member of the BNP, I would not be committing a crime, but I wouldn't be getting security clearance either.

0
3

Page:

This topic is closed for new posts.

Forums