Date: 10 Dec 1980 1454-PST Sender: GEOFF at DARCOM-KA Subject: DOE Flap From: the tty of Geoffrey S. Goodfellow To: ARPA-PROTEC at MC, Human-nets at AI Message-ID: <[DARCOM-KA]10-Dec-80 14:54:58.GEOFF> Reply-to: Geoff @ SRI-KA No More `Star Trek' on CPU COmputer Security Tightened at Sandia Labs by Jake Kirchner, CW Washington Bureau, Washington D.C. Federal auditors have all but closed the books on an investigation into unauthorized computer use by employees of a government nuclear weapons research center in Albuquerque, N.M. Although it has not done a follow-up study, the Department of Energy (DOE) said recently the Sandia Laboratory has taken "commendable" steps to beef up computer security following revelations of widespread problems at the facility. The DOE Inspector General's office here revealed last month it had found more than 200 Sandia employees had stored a total of 456 unauthorized files on one of the facility's Control Data Corp. system. The laboratory, operated for the government by Western Electric Co., performs nuclear weapons research and development and conducts research projects in such areas as solar and wind energy. Although the lab does classified work, the time-shared CDC 6600 system involved was used for unclassified projects. DOE Investigation The DOE investigation began a year ago when the Federal Bureau of Investigation informed the department it had found one of Sandia's employees using the CDC system to help local gamblers run a bookmaking operation. The employee was fired and a subsequent audit found hundreds of rather routine, although unauthorized, files that included several hundred games, such as Star Trek and Adventure, as well as poetry, jokes, personal letters, a beer collection catalog and bowling team rosters. About half the offending employees disregarded an initial warning to purge the files of unauthorized data and were later reprimanded, according to DOE. One of the "most disturbing findings," the DOE said, was that a so-called "bomb book" was on the system and accessible to all users. This file contained numerous nuclear test shots. While not classified, the bomb book was considered sensitive and was later removed from the system. This problem and other findings of the investigation raised questions about Sandia's overall computer security procedures. The DOE investigators found, for example, that "a common practice at Sandia was to share passwords among staff people." Also, passwords were changed only once a year so that a person leaving Sandia employ could still access the computer system using another person's passwork. Another problem was with physical security. DOE said its auditors observed no security checks on briefcases or packages carried by Sandia, DOE or contract emplyees. Policy Directive Following the DOE investigation, Sandia issued a policy directive stating any use of a facility computer must be for official work. DOE also advised Sandia employees that personal or improper use of the computers would result in disciplinary action. Employees were further reminded that misuse of government property is punishable by fine, imprisonment or both. DOE called for better recordkeeping of computer security guidelines to employees, as well as periodic random sampling of computer files to make sure no authorized data is being stored. -------  Date: 11 Dec 1980 0338-EST From: Walter Newswriter Subject: Boffin Flap To: ARPA-PROTEC@MIT-MC COMPUTERVISION, December 10, 1984 No More Aspirin at Work Desk Security Tightened at Boffin Labs by Walter Newswriter, PAP News Bureau, Washington D.C. Federal auditors have all but closed the books on an investigation into unauthorized desk contents by employees of a government research center in Yourtown, U.S.A. Although it has not done a follow-up study, the Department of Ultimate Bombastic Bona-Partism (DUMBB) said recently the Boffin Laboratory has taken "commendable" steps to beef up desk security following revelations of widespread problems at the facility. The DUMBB Inspector General's office here revealed last month it had found more than 200 Boffin employees had stored a total of 456 unauthorized items in desks issued to them by the facility. The laboratory, operated for the government by an unnamed energy magnate, performs research and development and conducts research projects in such areas as solar and wind energy. Although the lab does classified work, the desks involved were used for storing unclassified items. DUMBB Investigation The DUMBB investigation began a year ago when the Federal Bureau of Investigation informed the department it had found one of Boffin's employees using a calculator normally stored in the top desk drawer to help local gamblers run a bookmaking operation. The employee was fired and a subsequent audit found hundreds of rather routine, although unauthorized, desk contents that included several hundred decks of cards, such as Bridge and Pinochle, as well as aspirin, candy, personal letters, a beer collection and bowling team rosters. About half the offending employees disregarded an initial warning to purge their desks of unauthorized items and were later reprimanded, according to DUMBB. Policy Directive Following the DUMBB investigation, Boffin issued a policy directive stating any use of a facility desk must be for official work. DUMBB also advised Boffin employees that personal or improper use of the desks would result in disciplinary action. Employees were further reminded that misuse of government property is punishable by fine, imprisonment or both. DUMBB called for better recordkeeping of desk security guidelines to employees, as well as periodic random sampling of desk drawers to make sure no authorized items are being stored. ------- -------