Los Alamos confirms data breach

LAT ^ | Oct. 26, 2006 | Ralph Vartabedian

[familyop]

Thanks. ...interesting. I haven't forgotten that a Los Alamos employee was beaten nearly to death (many months ago, IIRC, around a local bar), too. That incident reeked of a work-related problem, as he was involved in some kind of squabble there. And BTW, a university in California (UC Davis?) mismanages that place.

[familyop]

Here. Let's clear the matter up a little (my emphases, in bold font).

---

Los Alamos Whistleblower Beaten - (horrendous)
NEWSMAX.COM ^ | JUNE 6, 2005 | CARL LIMBACHER & NewsMax Staff

Posted on 06/06/2005 6:52:41 PM PDT by CHARLITE

A Los Alamos whistleblower scheduled to testify before congress later this month is now in the hospital, according to news reports. Auditor Tommy Hook was brutally beaten by three or four anonymous assailants who allegedly ordered him to keep quiet.

On Saturday night, Hook went to a Santa Fe bar ostensibly to meet a person claiming to be a fellow Los Alamos whistleblower that called that night. When the person did not show, Hook left the bar after consuming two drinks.

Whistleblowing auditor Tommy Hook before and after the beating. (CBS News photos)

In the parking lot, he was yanked out of his car and beaten so badly by the three or four men that he had to be taken to intensive care at a local emergency room.

Reportedly, Hook did not provoke these men. The men concentrated on kicking his head, and Hook's family has opined that the men would have killed him if it hadn't been for a club employee, who ran from the club and broke up the beating.

Congressional staff members were set to arrive Tuesday in Los Alamos to investigate Hook's allegations of malfeasance at the lab.

Tommy Hook remains hospitalized with severe trauma to his face and head, including a fractured jaw and a herniated disk. The FBI has been called-in to investigate the attack, and Hook is currently under close protective custody.

Congress Warned of Ill Treatment of Hook

Last March, Danielle Brian, Executive Director Project On Government Oversight (POGO) testified before the House Energy and Commerce Subcommittee on Oversight and Investigations regarding a review of security initiatives at DOE Nuclear Weapons Facilities.

He especially focused on Hook and another whisterblower:

"I would be remiss if I did not report to the Committee that, while not a part of former Secretary Abraham's initiatives, the treatment of whistleblowers throughout the complex remains abysmal. Retaliation remains the norm, not the exception, as can be seen in the case of Tommy Hook and Chuck Montano, who have both worked at Los Alamos for decades.

"After the Committee's three hearings on financial fraud at Los Alamos, the University of California was telling the public that all was resolved, while at the same time retaliating against these two men who knew otherwise. Hook and Montano were responsible for providing audit support for UC and uncovered ongoing irregularities and outright misconduct amounting to millions of taxpayer dollars.

"Their audit reports were withheld from DOE. Their treatment? Their work was taken away from them, they were given no work for nine months, and now they are only being handed menial assignments. Even the head of the Los Alamos Site Office tried to intervene on Tommy Hook's behalf, only to be rebuffed by an arrogant University of California."

According to a report in Exec.com, Susan Hook, the victim's wife, Bob Rothstein, his attorney, and Montano confirmed that Hook was at the club to meet with another employee who claimed to have information that would support charges of wrongdoing.

Susan Hook and Montano further alleged that the assault was absolutely connected to Tommy Hook's impending testimony:

"When they were beating him up, they were telling him ... 'If you know what is good for you, you will keep your mouth shut,'" said Susan Hook.

Rothstein recalled that a person claiming to be an auditor from Los Alamos had contacted Hook a week before and had offered to share information about financial issues at the laboratory. Rothstein said that one meeting had already fallen through, but the second was arranged on Saturday night at the strip club.

The nightclub's doorman ran into the parking lot and broke up the attack, according to a club employee who witnessed the beating. The employee said Hook was assaulted by a group of men.

Joint Investigation

Called to the scene, FBI Special Agent Bill Elwell confirmed that federal agents are investigating with Santa Fe police officers. He said they are "still trying to figure out" what happened at the nightclub. "We are looking into the allegations made by Mr. Hook," Elwell said.

Los Alamos issued a statement:

"The University of California and the laboratory are outraged that a laboratory employee was the victim of a weekend assault in Santa Fe. Director [Robert] Kuckuck was made aware of the attack this morning and expressed his hope that the individual will make a quick recovery"

"Director Kuckuck, the University of California and the laboratory believe that any form of physical violence toward an individual is unacceptable. The laboratory is in contact with the Santa Fe Police Department and is providing the laboratory's full support and cooperation with the ongoing investigation." Susan Hooks said that her husband's wallet and car were not taken.

[familyop]

BTW, I do agree very much that our US military should be in control of such places.

[mo]

"Do you have a better idea..."


Yeah...as a taxpayer I wanna know why all critical drives etc. aren't RFID chipped and there loactions auto-monitored at this point .....

[SunkenCiv]

Maybe we could save time and just outsource the whole operation to, say, China. ;')

[FreePaul]

Why don't we just hold all of the postings about Los Alamos National Laboratory until they can confirm that they have managed to keep a secret for at least a short time?

[conservativeharleyguy]

"...Here's one. You register devices to the persons authorized to use them. Those devices are then their responsibility. You put users on notice as to what the protocal will be. You moniter all devices...."

Already been done for years. But how do you stop someone from bringing their own device? Whether it's for convenience, expediency, or nefarious purposes, the result is the same. Are you going to search every single person, every day, coming in, and going out of every facility? Before you answer, think how long that will take for 11,000 people over 47 square miles. You might (might!!!) have great security, but no work will ever get done, and all it takes is one failure for the system to break down. You've got to find an effective balance.

"...A person should be tasked to make spot checks on those devices periodically (no less than once per week, yeah it will take manpower to do it. I don't care). When they do check, the device better damned well be secure or the person responsible for it would be carted off for a short discussion, followed by possible incarceration..."

Again, already pretty much done. And again, if it's their own thumb-drive, and they are determined to overcome the system, what do you suggest? A security person to watch over everything every worker does (BTW, whoever put that data on a midriff probably knowingly did so in violation of policies, procedures, federal laws and had to overcome at least one physical barrier to even plug it in). It's easy to say "I don't care". It's far harder to roll up your sleeves and actually do something about it.

"...What the hell kind of an operation are they running over there, that these devices could be missing and nobody know about it..."?

It's easier to fight for one's principles that it is to live up to them every day. Everyone from the outside always has a better idea , but w/o all of the info and an understanding of the organization, it's all smoke. The facts are: THIS IS NOT A PROBLEM WITH THE SECURITY DEPARTMENT, IT'S A PROBLEM WITH THE ORGANIZATIONAL CULTURE, AND A LEGACY OF POOR MANAGEMENT!!!! Remember, this information was probably stolen months, if not years, ago, under a different management team, under different security rules.

"...As for your comments about the supervisors, if they obstructed any implementation of this policy they should be subject to incarceration for not taking the security of these devices seriously..."

Have you ever prosecuted someone for compromising national security? Let alone their boss? I doubt it. It's not as simple as you seem to think.

When your issue is tried in the press, and every "do-it-yourself nuclear security expert" on earth rushes to judgment full of themselves and what they read in newspapers, you'll be lucky to get even one of over 50 charges to stick (that's what's known as a "thinly veiled reference". If you actually know anything about this issue, you'll know immediately what I'm talking about).

"...This is a national security matter, and your excuses don't instill confidence. Instead it seems to reveal at least part of the problem. I wouldn't work for an agency that was powerless to do the job the way it should be done..."

Your confidence is the least of my worries. As I already said, everyone always thinks they are real security experts, until they are asked to come up with ideas that will work in the real world. Then it's not as cut and dried as you'd like to believe.

The real answer is this: In any organization, whether it's a National Lab or Dillard's, you establish policies, and procedures (based on law) for your Security Department to regulate. They must make sense, allow for work to actually be accomplished, with clearly communicated penalties for violation. You then have to have Management that is willing to hold anyone and everyone equally accountable for violating them. All "Security" can do is help establish the rules, monitor and assess compliance with them, and identify those who don't comply to Management. In any organization, it's not the Security Department who holds the workers accountable for violations, it's the Management, period. If you believe otherwise, you don't know jacks***. And, in the case of National Labs, it's the federal government who actually punishes them.

BTW, I'm sure that LANL is losing lots of sleep over your fatuous refusal to work there. Obviously, someone of your vast experience and qualifications in Nuclear Operations and Security could just stroll on over and clean it right up overnight. You've missed your calling.

[fight_truth_decay]

Ah..poor management coupled with the Peter Principle.

Great post!

[supercat]

Again, already pretty much done. And again, if it's their own thumb-drive, and they are determined to overcome the system, what do you suggest?

An OS patch to deny mounting to any USB device whose ID isn't listed in a certain database.

[DoughtyOne]

Thanks for the post. That's terrible.

[Howlin]

What's her name, Hazel O'Leary?

and

Hehehe- yeah, looks like Johnny Chung not only got a lot of bang for his buck, but meth to boot.

Man, Freepers have LONG memories, don't they? It's one of the best things about this place!

[DoughtyOne]

You know, it's amazing to sit here an read your explanation for national security items leaving the premisis.

Why don't you guys just close down the security department and let the folks there fend for themselves.

After reading your posts which display a shocking lack of ownership for this problem, and a defeatist attitude to boot, it's obvious you've picked to wrong vocation.

If you haven't already, please find other work.

I'm not the smart ass whose department has failed numerous times to prevent laptops and other equipment from being carted out of there. You are. So if you're in a mood to hurl insults, find yourself a mirror.

[Calvin Locke]

True, but "A good memory does not equal pale ink". - fortune from cookie.

[endthematrix]

I work in site physical security for FAA. I understand what conservativeharleyguy is saying. We had employees here taking things. When you are denied challenging employees because they are managers or union (yes, unions have plenty of sway) reps or whatever, it prevents you from doing your job - and fear of losing it. Recall that guard in Congress who stopped Cynthia McKinney? The only reason that guard wasn't sacked was because of a post 9/11 world and it was leaked to the media.

One time I challenged a female employee who walked though a temp barricade without ID present. She could not hear my shouts due to highway traffic nearby, so I whistled her attention to stop. She then presented ID and entered the facility to.... complain. I was almost looking at a kind of sexual harassment claim, because of inappropriate whistling. That's the government’s working environment.

[DoughtyOne]

I think that if you'll notice the tone of your note and the tone of the other notes, you'll see why I'm not willing to cut this guy any slack.

I recognize the problems inherent in government programs or policies. What I'm not going to accept is excuses and then hurling insults at me as if I should just sit back in my recliner and keep mum on the subject.

There's no excuse for you being treated the way you were. I see that as a big problem. The woman didn't display her I.D. and you called her on it. What else were you supposed to do to get her attention, other than whistle very loud. I see your actions as appropriate. If you just accepted the verbal reprimand, you'd have to back off checking I.D.s, and that's unacceptable.

When I come to the forum and I voice concern for what is going on at Los Alamos, it doesn't mean that I am focusing solely on the Security Department. If the administration is a part of the problem, I'm just fine with taking them to task. If the security department is part of the problem, I'm just fine with taking them to task as well.

What we have here is a poor security record. How it's repaired I don't care. I do however want it fixed. And if folks like me don't voice loud objections to the way things are going, you won't get support for implementing the programs that need to be implemented, and the pin-head administrators will contine to look the other way.

There's no real need to get defensive about this. We all want the same thing. Frankly, I don't care how it comes about, but it does need to come about, an improvement in security that is...

Thanks for the comments. Honestly, I do understand where you are coming from. I understood where the other guy was coming from as well, but I am not a part of the problem and acting as if folks like me who voice our opinions on this are, is just juvenile.

[conservativeharleyguy]

I'll try this one more time.

Then, if you still don't get it, I guess you just can't get.

It's not a "Security problem", it's a cultural/management problem. Period....

You can have the most stringent rules in the world, and if someone is intent on breaking them, they will break them.

It's what Management does with them when they are caught that counts.

There's not a "Security Department" in this country that has the power, the mandate, or the authority to put anyone in jail.

There's radical difference between an excuse and a reason.

I don't have a defeatist attitude, and I know my job.

But when the public jumps to UNINFORMED conclusions, based on what they read in a biased press, I get my hackles up.

It's ironic, but as a member of this forum, you probably jump at the opportunity to vilify the bias of the leftist press when it suits your beliefs, but then you accept at face value the screed of the same activist press for this issue. That smacks of either duplicity, or an elastic belief system.

Did it even occur to you to wait until the facts are in?

Or that the press may just be on a witch-hunt?

[Centurion2000]

If indeed there really was a compromise of classified matter, and it really is on a "thumb-drive, whoever did it has to have violated numerous policies, procedures, and circumvented at least one physical barrier just to have plugged it in, in addition to introducing an unauthorized removable media device onto a classified computer.

That's not "Security's" fault. It's that person's fault (and maybe their Manager's), and that person should be held accountable.

Do you have a better idea, or are you just talking???

USB and other removable drives should not be operational on a computer containing highly classified information.

That's Security 101.

[DoughtyOne]

I'm writing this reply on a small pda, so if it cuts off abruptly look for more below.

In my first comment on this thread, I raised the question of whether there was even a security department at Los Alamos. I think that most people reading that would take it tongue in cheek. Since you work there, you were not inclined to. I can understand that. On the other hand you're going to have to understand that there's considerable frustration out here, seemingly hearing about another security issue every few months, evev if it's not actually that frequent.

Now, do I think your department is run poorly? Not really. If a poster to a forum like this was to address this issue, they'd more than likely touch on the word and most likely department 'security' in the process. Whether you like it or not, that's just the way it would probably go more often than not when an issue of this sort came up.

I would suggest you would get a lot more congenial responses if you would simply express some of the frustrations those in your department run into, without taking things so personally.

In this instance it's a given that theres a lot more involved than just one department. In government there are many layers of decision making entities. Don't expect folks to address them all when they make a flipant comment on the subject.

Do you reaaly think anyone would list every entity (if possible) when making an unfavorable post on this subject? If you thought about it, I doubt you would.

IMO there needs to be a complete assessment from top to bottom, regarding policies as they affect national security secrets.

Should laptops be allowed on the premesis? Should shfts be staggered and metal detectors utilized? Should polices be reworked and a complete across the board personel review that would see awareness raised, managers held to account for lax enforcement of policies and prosecutions that take place more frequently?

These are not ideas floated in order to slander your department. They are intended as a basis for reworking the whole system from the top to the bottom.

In another post I made some suggestions and you dismissed them. Since they are not solely targeted at your departmet, but instead address issues of policy and management, I'm not sure why you were so negatve.

What policies are in place now, they are not working. Well, in all but a few they actually are. The problem is, the leaks that do happen can be catastrophic. That's why I cannot accept even one. I would suspect you agree with that.

Thanks for the additional comments. Good luck to you.

[conservativeharleyguy]

FYI, I no longer work there. I do the same work at other, similar facilities. I have however, worked at other more "stringent" facilities, and they are generally far, far less innovative when it comes to technical research, so...???

If you think the public's frustrated, there's not a single person, in a Security department of literally hundreds, that hasn't torn their hair out over this kind of thing, if for no other reason than knowing that, once again, they will be collectively blamed by the world for the individual failure of one or two brilliant idiots to adhere to a simple policy or procedure.

I can tell you that the few times when the problem was really with Security personnel, the consequences have generally been quick, harsh, and just. We just don't tolerate it our own ranks. But when the culprit is a world-renowned physicist, then it's hands off Dr. Strangelove.

One of the major philosophical difficulties with any security program is that, in a sense, you really only know that security is working when you catch someone violating the policies, but then it's trumpeted as a failure.

Actually, if you catch the guy that should prove that in reality, the security system works. Right? Not in the public eye, unfortunately. You never know about the ones you don't catch. And, how do you prove a negative?

As for LANL, I still believe that the problem is with the institutional culture (please keep in mind, I think it's fair for me to say that I know far more about the place than you ever will), and the way it's been run. Although, under their new management, that's more than likely going to change. But it's going to hurt for a while.

Also, keep in mind, this latest incident is really a "legacy" problem that just now bubbled to the surface by circumstance (again, you never about the ones you don't catch).

My main frustration here is mostly with the press for hyping anything that happens there way beyond the proportion of the consequences of the actual event.

Unfortunately, a generally uninformed public simply buys into the line that there's a "Security (big "S") problem" at LANL.

For some reason, when other similar laboratories get egg on their faces, they generally get a pass. Go figure, but most of them are run by corporations not universities (LANL is commercial now, so we'll see how they handle this one).

There are a great many people out there who hate LANL (many in the press itself) for everything it stands for (A-Bomb, Defense projects, nuclear operations, etc.), and will do anything to undermine it. A number of them have also made a lot of money (a LOT of money!!), and created whole organizations (which they lead) dedicated to denigrating the institution, and so to most of us, their motives are immediately suspect as a result.

It's a complex problem, and blaming Security will never solve it. It feeds the negativity machine, undermines the institution, and lets the real culprits off of the Hook (another "veiled reference" for those in the know).

But, it does give me something to rant about on the FREEP.

[conservativeharleyguy]

"...USB and other removable drives should not be operational on a computer containing highly classified information....

That's Security 101....

Nope, sorry.." FOLLOW the F*CKING RULES"! is "Security 101", and that's the point I've been trying to make!

BTW, last time I checked, computers containing "highly classified information" at LANL won't accept any removable media, which is one more reason to think this whole story is bullsh*t.