17 March 2010

AKO Rehab

Yesterday’s tirade against Army Knowledge Online’s (AKO) personal security questions briefly touches upon a much larger issue concerning the US military’s information technology systems. Time and time again, I find myself turning to commercial applications instead of military-designed programs for productivity.

In 2005, I took part in the massive relief effort in New Orleans following Hurricane Katrina. When I couldn’t get detailed maps of New Orleans with the US military’s Falcon View program, I turned to Google Earth, which offered 3-D imagery of New Orleans taken just hours after the hurricane struck. Google Earth has been so popular among aviators that a C-17 pilot, “
Reach 364”, created an application which linked the military’s flight planning software with Google Earth.

More recently, I’ve turned to Facebook to keep my friends and family abreast of my escapades. In doing so, I’ve forgone the Army’s official “Virtual Family Readiness Groups”, which require families to overcome so many authentication hurdles that many simply give up on registering. I’ve even started to rely on Gmail—which offers gigabytes of storage and great compatibility with mobile devices—instead of the US Army’s AKO network.

The recent addition of personal security questions—which compliment the 10-character passwords and Combined Access Card credentials—only frustrate service members, many of whom are simply ignoring AKO altogether. To them, the military’s paranoia over operational security (“OPSEC”) simply impedes legitimate information flow. In many ways, this parallels ISAF’s difficulty in communicating strategically in Afghanistan; with declassification procedures proving so cumbersome that Taliban forces are often able to report on battlefield events more quickly than the world’s most technologically advanced nations. (More here, here and here)

But you don’t have to take my word on the Department of Defense’s IT systems. A recent poll on Army Knowledge Online asked “How do you log into the AKO Portal (i.e., files, pages and groups) or into AKO Webmail?” One user appropriately responded:

I'm perplexed at why AKO posted this poll. Doesn't AKO have network monitoring software that can gather the statistics posed by the poll question?

Very true, but, of course, the question was designed to spur some comments on AKO’s login procedures. So, let’s ask again, how do you log in to AKO?

How do I log into the AKO Portal? PAINFULLY!

Want specifics? Over seventy replies so far are nearly unanimous in their loathing of AKO's new login procedures, and many of AKO in general. This isn't just the proverbial tilting at windmills, many of these are legitimate grievances. Take a look:

(Ed. note: A “CAC” is a “Combined Access Card”, which is a service member’s military ID, embedded with a small microchip. This chip allows them to log in to government computers, after inserting the card into a special “CAC Reader”.)

AKO is on the verge of becoming obsolete. With the continued strive to emplace more security restrictions (KBA questions) on the "Home" user and the overall annoyance with the hassle of logging you out every 30 minutes or so AKO has managed to annoy a majority of its users. Remember AKO, the only reason we have this account is because the Army mandates that we have one. If they took away the option Yahoo and Google would facilitate the Armys digital traffic with less hassle. Stop with the added security and ridiculous questions. There is not information on this low of a securtiy level server to compromise any National Security issues.

I will continue on the theme voiced by everyone else who has posted, AKO is too hard to access. CAC card login is starting to be extremely painful. I am a National Guard Soldier and work in the Financial AID office at a local College. I just had a student come in trying to get VA benefits and did not have their Notice of Eligibility. I could have got that Soldier on IPERMS, printed it off and resolved the problem, but now IPERMS takes CAC log in. So now this Soldier has to drive 2 hrs to get to the Operations Sergeant (because they don’t have a CAC card reader at home.) just to get on the computer and print off one piece of paper in order to get [VA] benefits.

The extra features of the KBA questions it makes logging into AKO a bigger headache then it is worth to use. A strong password is fine to protect my information and having knowledge based questions as a reference for the help desk to use to identify me if I forget my password. But having to answer them every time I log on to AKO is ridiculous. Please let's do away with it and go back to how it was before.

As a National Guardsman, the belief that we could take a CAC reader home, install it and be good to go was complete idiocy. Logging in with the CAC as noted above, is a major hassle. In my unit, we often have to take an entire day just to get our NCO's CAC's and AKO Login's fixed - unacceptable. Our higher headquarters has mandated that we will use MyForms (FCMS) to process all NCOER's and use digital signatures - virtually impossible without a working CAC card reader.
Not only has AKO become unreasonably difficult to access, but going into Mypay I have to click on the terms of agreement every time. Why?...AKO is the most non-user friendly interface ever designed! Do the Army and it’s soldiers a huge favor and contract out the AKO development with someone who has a clue… Or better yet, just kill the program and get Yahoo to make us one that works!

Bottom line up front the geek squad at AKO needs to stop trying to justify all of the security garbage by crying OPSEC…regular AKO, the one most of us use does not need to be so secure. We already have to input a new password in excess of 10 characters every 6 months, just to turn around and answer 3 or more silly security questions!

Why does AKO require so many (15) questions? This is the most of any log-in site that I've seen. I don't think it provides any real security, since I have to write down the questions and answers, which of course, could fall into the wrong hands. Also, the "favorites" form of question is not the best, since favorite things change over time for most people. Permanently defined/unchanging categories are better, such as "What is your first wife's middle name?"

I can never get the CAC reader to work with FireFox.

I can not stand the new KBA questions. You are required to select nearly all of the questions and then come up with a answer for the questions. The reality is that I did not have an answer for 90% of the questions and now I keep forgetting what my answers are for the KBA. Only a few do I know every time.

We are told that the KBA questions are to protect us from identity theft and that we should not share the answers with anyone. If you were truly interested in protecting soldiers from ID theft, you would not require them to give up yet more personal information to be stored in a venue outside of their personal control on a database that is at risk of being hacked or compromised. The more personal information that a soldier provides, the greater their risk of ID theft and that makes the KBA questions part of the problem, not part of the solution.

Since the KBA questions are out of the quesion for me, I am only able to use CAC log-in, and then only when I am at the one machine that will consistently handle my CAC card. However, since I also live 300 miles from the ID card facility, there have been several times when my card has failed/broken and I am left without AKO access for extended periods until I can get to a location that will re-issue or reset my CAC card.

To be useful, AKO log-in must utilize readily available technology that does not require me to compromise personal information and is available on every computer (not just military) or is issued to every soldier BEFORE it is implemented.

I won't be utilizing AKO any longer. The KBA questions are over the top, and ridiculous. I purchased a CAC reader at my own expense, and as I'm now retired I no longer have the ability to use the reader. Thanks a lot. It only took 2-3 hours of my time researching the web to find everything I needed to set up the CAC reader. You guys can't even get my rank correct. After 23 years of service, is it too much to have 1SG on my profile verses MSG?

The bottom line is that the system is so "secure" that legitimate users are unable to easily access their information. I think the problem might be that the people who design, maintain, and upgrade the system work in offices in fully technology integrated locations, and they have lost touch with the conditions most Soldiers actually live in. Only a small percentage of all Troopers actually access AKO through a government provided ISs, but the vast majority who access AKO from non-government ISs do not even have an option to have a card reader for CAC access.

As a company commander in the Army Reserve, I can tell you that the majority of my 171 Soldiers do NOT check AKO unless it is drill weekend. So they miss out on the company newsletter and -- more importantly -- their own medical readiness. Most of my Soldiers were unaware that of the medical readiness "stoplights" on the AKO main page because they never log in. That's one reason why my medical readiness is so low.

AKO has become a secondary e-mail system for me. As a reservist, accessing AKO is a real pain. I finally broke down and bought a CAC card reader for my personal computer, only to find it doesn't work (apparently) because I use Windows Vista. So, I'm back to the weekly (or is it bi-weekly?) password bingo game I have to play…After my ETS, AKO will rank right up there with the new ACU's as things I'll miss LEAST about the Army.

It is a good thing for AKO membership that theirs is a captive audience. If I had a commercial alternative, I would leave AKO forever. Between the absurd password requirements and the inane KBA questions which I never remember, it is getting nearly impossible to actually use the site without a CAC.

I see personnel now finding ways to circumvent these "good intentioned" security measures by committing the most fundamental security violations. Some people have just taken to adding a serial number on the end of their password, which they just bump up by 1 every time they have to reset their password. (Example: PA$$word01 becomes PA$$word02 and so on...) The other common security violation I hear about is writing down their KBA questions and answers. It's like hiding the arms room key under the mat because it's such a pain in the --- to get the key properly.

One of the things always brought up in IA training is how much of a threat is posed by disgruntled insiders. This is a perfect way to create those disgruntled insiders.

I understand the intent of the KBA questions is 1) to make it harder for hackers to get into your account and 2) to make it a hassle for users to access AKO without their CAC in order to push the CAC login. However, I have a Macintosh, and my CAC reader currently doesn't work (had it working for a while but currently won't work). Until AKO starts providing Mac support, I won't be able to use my CAC at home. Ironically, I'm currently using my personal Mac laptop in a multi-national operation (wasn't assigned a computer by my deployed unit) so I'm accessing AKO for work purposes daily without CAC access.

Yeah, but can the guy on the right use a CAC to log into AKO?

All this from the military that uses CD-ROMs to transport data, having banned USB drives. (Edit: has this policy since been rescinded?). Don't even get me started on AKO's attempts to create a Web 2.0-style environment. Sorry, but why would I go through the hassle of logging in and reading an AKO blog when I have far more awesome blogs popping up in my Google Reader feed all day long? And the social networking function that few people use? Sorry, but I don't use social networking sites for work. I use them for more, erm, primal reasons. Hate to say it, but I'm not trying to score off of the women of AKO. I know I can't be alone on that one.


Unknown said...

Military personnel using social media should take care that they don't implicate themselves online in having violated the UCMJ or other laws. Although the caption "Photo taken by Starbuck" could be construed as a failure to obey a lawful order, it is not nearly as egregious as what the following young man did:

Cops: Burglar logs into MySpace on store computer

Friday, March 19, 2010

Kennewick, Wash. (AP) -- A burglar who spent about five hours on a store's computer after breaking into the business gave police all the clues they needed to track him down. Investigators said the 17-year-old logged into his MySpace account while at Bella Office Furniture and that made it easy for them to find him. He also spent time looking at pornography and trying to sell stolen items, all while using the business' computer.

He was arrested Tuesday and charged with first degree burglary. Kennewick Police said he helped officers recover a cell phone stolen in the break-in.

Anonymous said...

The DoD is much better at keeping out legitimate users than keeping out unauthorized users.

I'm a reservist. Every drill weekend I get to hear from our First Sergeant in formation, "CHECK YOUR AKO EMAIL, THERE'S IMPORTANT STUFF THERE!" The problem is having to change your AKO password every 150 days, and you have to have a CAC reader. Well, very few TPU soldiers have AR computer access and don't have a CAC reader at home. Also, why should any soldier be expected to use their personal gear in lieu of government equipment. I know it's the reality of being a soldier, but that doesn't make it right.

Let's not get started on their "easy-to-use" unit pages or their web 2.0 silliness.

sweerek said...

Congrats on making Wired.com.

The US Air Force Research Lab at spi.dod.mil offer a simple, Linux LiveCD that has a CAC-enabled Firefox browser but it doesn't install anything nor even spin your harddrive. You can now get into CAC-restricted sites on almost any computer. As seen on the AF Portal, Lightweight Portable Security (LPS-Public) is free. See http://spi.dod.mil/LPS-Public_for_DoD.htm