It's actually more restrictive than the sibling makes it sound. A SCIF can't have any radio-transmitting device, recording device, or storage media without special approval. Computers hooked up to classified networks can't have USB ports. Even medical devices are case by case. My wife requires hearing aids and needed them to be analyzed and approved by a security team before she could bring them in. Pacemakers require approval.
The phones and networks are hardened by being their own separate network from public networks. The lines are all buried and protected and utilize hardware-encrypted point to point tunnels to merge with public backbone fiber. I've told an anecdote here many times of working at a facility where AT&T contractors dug too close to a JWICS fiber cable and had an unmarked black SUV show up in minutes to confiscate all of their gear and question them.
Keep in mind the military has been encrypting radio traffic over hostile territory for a century, so they don't even necessarily require the lines themselves to be physically secure as long as the endpoint devices are. Encryption keys are loaded from hardware random number generators that are synced manually on some rotating basis determined by local command or national policy, depending on the intended reach of the comms device. The NSA has something called a key management infrastructure for the wide-area computer net that replaced the legacy system a few years ago that is similar to PKI, but keys are only issued in-person and stored on unnetworked hardware key loaders that are kept in locked arms rooms on military installations (or with deployed units). There is, of course, also a DoD and IC PKI so they can still use develop and use regular web applications and browsers, but it is also more restrictive than regular PKI. Everything requires client certs and mutual TLS and you need to be personally sponsored to get your personal certificates.
It's actually really cool the way the JWICS websites work because your client cert provides an identity that is linked to your sponsoring agency's clearance database and web apps automatically redact content on the server side that you are not cleared to see. It's possible I'm making up memories but I think I've seen at least a few cases where some applications can do this inside of a single page, but typically you get a denial for an entire application if you're not cleared for the highest level data it provides.
I almost hate to say it because it's antithetical to the Internet and Hacker News ethos, but it's a testament to how well networked applications could work with a central authority and no anonymity. You don't need passwords. Accounts are provisioned automatically. SSO is global to the entire network. You only need one identity. But no, your office can't have Alexa.
> I almost hate to say it because it's antithetical to the Internet and Hacker News ethos, but it's a testament to how well networked applications could work with a central authority and no anonymity. You don't need passwords. Accounts are provisioned automatically. SSO is global to the entire network. You only need one identity. But no, your office can't have Alexa.
I don't think it's necessarily a dealbreaker if you consider this: from a purely technical standpoint, there's nothing really stopping anyone from setting up a certificate authority- the only issue is getting service providers to trust it enough to accept those client certs as sufficient identification. I could easily imagine a world where I receive an "official" client cert from a government (which I can use to thoroughly prove my identity if needed) as well as several "pseudonymous" certs from various other CAs that I may use from time to time.
The main difference between CAs would be the kind of attestations they provide for a given certificate holder. For example, I could imagine a CA which (for example) is set up to attest that any holder of a certificate signed by them is a medical doctor, but will not (by policy) divulge any additional information.
Or perhaps a CA which acts as a judge of good character- they may issue pseudonymous or anonymous certs, but provide a way for application owners to complain about the behavior of a user presenting that cert.
I'm sure there are plenty of holes that can be poked in this model but I don't think it'd be completely out of the question?
The phones and networks are hardened by being their own separate network from public networks. The lines are all buried and protected and utilize hardware-encrypted point to point tunnels to merge with public backbone fiber. I've told an anecdote here many times of working at a facility where AT&T contractors dug too close to a JWICS fiber cable and had an unmarked black SUV show up in minutes to confiscate all of their gear and question them.
Keep in mind the military has been encrypting radio traffic over hostile territory for a century, so they don't even necessarily require the lines themselves to be physically secure as long as the endpoint devices are. Encryption keys are loaded from hardware random number generators that are synced manually on some rotating basis determined by local command or national policy, depending on the intended reach of the comms device. The NSA has something called a key management infrastructure for the wide-area computer net that replaced the legacy system a few years ago that is similar to PKI, but keys are only issued in-person and stored on unnetworked hardware key loaders that are kept in locked arms rooms on military installations (or with deployed units). There is, of course, also a DoD and IC PKI so they can still use develop and use regular web applications and browsers, but it is also more restrictive than regular PKI. Everything requires client certs and mutual TLS and you need to be personally sponsored to get your personal certificates.
It's actually really cool the way the JWICS websites work because your client cert provides an identity that is linked to your sponsoring agency's clearance database and web apps automatically redact content on the server side that you are not cleared to see. It's possible I'm making up memories but I think I've seen at least a few cases where some applications can do this inside of a single page, but typically you get a denial for an entire application if you're not cleared for the highest level data it provides.
I almost hate to say it because it's antithetical to the Internet and Hacker News ethos, but it's a testament to how well networked applications could work with a central authority and no anonymity. You don't need passwords. Accounts are provisioned automatically. SSO is global to the entire network. You only need one identity. But no, your office can't have Alexa.