Why Petraeus Should Still Run the CIA (and 3 Lessons from His Downfall)

Let’s make one thing clear: David Petraeus should not have been forced to resign. I honestly have no idea how good he was at leading the CIA. However, given his track record in the military there’s no reason to think he was anything less than competent, and competent people seem to be in rather short supply these days.

He had an affair, which is a breach of a CIA regulations that say adultery is okay…as long as the agency and the spouse know about it. The regulations were put in place ostensibly to prevent a CIA employee from being blackmailed. This is the same ostensible reason for keeping gays out of the military, and we all know how well that worked.

I suggest the CIA adopt a new policy of, “We don’t care.” If blackmail really is the primary concern then this would solve that problem just as letting gays serve openly in the military has done. The military, which also makes adultery a firing offense, should adopt the same policy.

This is an astonishingly bizarre moral code to impose on spies and soldiers. Do you know what they do for a living? They make decisions about life and death–some of which involve killing other people. So it’s okay to kill but not to have sex out of wedlock? Whiskey Tango Foxtrot! (Under these rules we would have been denied the services of Gen. Dwight D. Eisenhower who, when he was in England, did not do much to hide his affair with Kay Sommersby.)

Okay, enough ranting and raving, and back to the subject at hand: What everyone can learn about IT security from this whole piece of stupidity.

1) Never write down what can be said, never say what can be indicated.

It is sad that the CIA director apparently never learned the most basic piece of spy tradecraft.

Never, ever write down anything–especially on a computer–that you wouldn’t want on the front page of Google News. In Petraeus’s defense very few people ever put this into action, a fact for which journalists are eternally grateful.

2) Assume there is no anonymity on the web.

Next, while it’s not impossible to do email anonymously it is so difficult that you might as well just assume that it is. Remember Petraeus and Paula Broadwell, who has a Ph.D in counterterrorism, tried to do it and failed.  If you start by assuming there is no anonymity on the Web you will have a better chance at achieving and maintaining operational security.

According to the Associated Press, “Petraeus and Broadwell apparently used a trick, known to terrorists and teenagers alike, to conceal their email traffic.” And teenagers?!? That is not a good indicator for success. In addition to creating the e-mails under false identities,

“Rather than transmitting emails to the other’s inbox, they composed at least some messages and instead of transmitting them, left them in a draft folder or in an electronic “dropbox,” the official said. Then the other person could log onto the same account and read the draft emails there. This avoids creating an email trail that is easier to trace.”

This came undone when FBI agents, performing what may have been the Bureau’s first-ever probe of online harassment, used location data from harassing e-mails sent to “Tampa socialite Jill Kelley” and the e-mail account from which they were sent to figure out that the sender was Broadwell. This lead them to search other e-mail accounts owned by Broadwell, including a Gmail account, which led them to the affair with Petraeus. That amazingly thorough investigation is especially impressive when you realize no laws were broken by anyone who was being investigated.

3) Use a password that’s at least 9 characters long.

Broadwell appears to have been a subscriber to the “private intelligence” firm Stratfor whose logins and hashed passwords were hacked and released last year by Anonymous. Inside the file is data for paulabroadwell@yahoo.com, whose hashed password is listed as “deb2f7d6542130f7a1e90cf5ec607ad1.” Underneath all that hash is a password that’s eight characters long, a close-to-but-not-quite perfect length.

Security researcher Robert David Graham says that Broadwell’s password was a good one that resisted obvious dictionary attacks. Graham did break it eventually using a brute-force attack that tried every letter and number combination in existence, running 3.5 billion combinations per second against the password until he found it.

Broadwell’s eight character password took 17 hours to crack, not bad and certainly long enough to deter many hackers. However, “time to crack” increases dramatically as password length increases. So another digit or two can make a huge difference for security. As Graham said, “Had her password been one character longer, I wouldn’t have cracked it.”

And, of course, don’t use the same password for more than one account.