Bellingcat: US Soldiers Inadvertently Leaked Nuclear Security Secrets via Flashcard Apps


For US soldiers tasked with the custody of nuclear weapons in Europe, the stakes are high. Security protocols are lengthy, detailed and need to be known by heart. To simplify this process, some service members have been using publicly visible flashcard learning apps — inadvertently revealing a multitude of sensitive security protocols about US nuclear weapons and the bases at which they are stored.

. . .

However, the flashcards studied by soldiers tasked with guarding these devices reveal not just the bases, but even identify the exact shelters with “hot” vaults that likely contain nuclear weapons.

They also detail intricate security details and protocols such as the positions of cameras, the frequency of patrols around the vaults, secret duress words that signal when a guard is being threatened and the unique identifiers that a restricted area badge needs to have.

The entire article is well worth a read, especially for the sheer amount of information Bellingcat uncovered, including locations of cameras and backup generators at specific sites, detailed information on equipment carried on bases, and schedules for checking aircraft shelters containing nuclear weapons vaults.

This information was publicly searchable because most of the flashcard/quizzing tools that the soldiers used made content public by default. This is similar to how credentials are inadvertently leaked on Github by developers apparently unaware or misunderstanding the implications of hosting those on public repositories.

One change that would help a lot would be if online applications start defaulting to private and requiring users to enable public access, rather than the current approach of defaulting to public and requiring the user to intervene to make content private.

For example, although Github has been the source of numerous credential links, all new personal repositories default to “Public.” The user has to choose the “Private” option manually. This practically guarantees a high level of ongoing leaks at sites such as Github.

Github did make a change in July 2020 so that all repositories created by users accessing Github via an organizational SSO service will be defaulted to private. So they realize that defaulting to public is a problem. Yet, they decided to stick with that behavior for personal repositories, even though a huge segment of Github-related credential leaks are from individuals using personal repositories.

This should be unacceptable given the well known security and privacy problems with this practice.

RIAA Uses DMCA To Take Down YouTube-DL Repositories on GitHub

On October 23rd, the RIAA used a DMCA letter to takedown the YouTube-DL GitHub repository, along with a couple of dozen forks of the project. As of Friday, 10/23/2020, many of those repositories returned the following message.

Repository unavailable due to DMCA takedown.

This repository is currently disabled due to a DMCA takedown notice. We have disabled public access to the repository. The notice has been publicly posted.

If you are the repository owner, and you believe that your repository was disabled as a result of mistake or misidentification, you have the right to file a counter notice and have the repository reinstated. Our help articles provide more details on our DMCA takedown policy and how to file a counter notice. If you have any questions about the process or the risks in filing a counter notice, we suggest that you consult with a lawyer.

GitHub posted the RIAA’s takedown request letter in its DMCA repository. The letter reads in part,

I am contacting you on behalf of the Recording Industry Association of America, Inc. (RIAA) and its member record companies. The RIAA is a trade association whose member companies create, manufacture or distribute sound recordings representing approximately eighty-five (85) percent of all legitimate recorded music consumption in the United States. Under penalty of perjury, we submit that the RIAA is authorized to act on behalf of its member companies on matters involving the infringement of their sound recordings, audiovisual works and images, including enforcing their copyrights and common law rights on the Internet.

Copyright Violations. We have learned that your service is hosting the youtube-dl source code on its network at the following locations, among others:

. . .

The clear purpose of this source code is to (i) circumvent the technological protection measures used by authorized streaming services such as YouTube, and (ii) reproduce and distribute music videos and sound recordings owned by our member companies without authorization for such use. We note that the source code is described on GitHub as “a command-line program to download videos from and a few more sites.”

We also note that the source code prominently includes as sample uses of the source code the downloading of copies of our members’ copyrighted sound recordings and music videos, as noted in Exhibit A hereto. For example, as shown on Exhibit A, the source code expressly suggests its use to copy and/or distribute the following copyrighted works owned by our member companies:

• Icona Pop – I Love It (feat. Charli XCX) [Official Video], owned by Warner Music Group
• Justin Timberlake – Tunnel Vision (Explicit), owned by Sony Music Group
• Taylor Swift – Shake it Off, owned/exclusively licensed by Universal Music Group

Found on Github: A Dump of All Possible Android Pattern Lock Sequences

Android developer has a Github repo containing a dump of every possible Android pattern lock sequence. (Hint, the pattern lock isn’t a very secure way to protect yourself on Android; then again, Android’s not very secure to begin with).