Office of Personnel Management Says Hackers Got Data of Millions of Individuals
nytimes.comAnd yet, tomorrow they'll have no qualms making the case that, of course, the government can securely keep backdoor keys to investigate encrypted communications.
Have the secret backdoor keys for Dual EC DRBG leaked yet? Nuclear launch codes and authenticators?
Analogies are useful but don't get carried away, especially when talking about something as broad as "the government" (as if it were one singular thing). The fact that a BLM federal officer lost his firearm doesn't instantly mean that all of our Tomahawk cruise missiles are next to be stolen.
What the hell are you on about?
The closest thing to the proposed encryption backdoor is the clipper chip proposal of the 90s, and that did have severe vulnerabilities that the authors completely overlooked.
And I'd recommend you watch John Oliver's segment about nuclear launch codes to recalibrate your trust in those officials. We've come scarily close to Armageddon multiple times over the last few decades, which was prevented only by sheer dumb luck. Just because it's the scariest thing known to man doesn't mean the people responsible for it aren't incompetent.
Why do we think they haven't been stolen? Why do we think that the OPM was the first or the biggest or the most valuable attack, and not just the biggest one that happened to be noticed?
The fact that a BLM officer lost his firearm doesn't instantly mean that all the cruise missiles are next, but yes, the fact that the USG is unable to maintain sensitive records of twenty million cleared personnel does say something about their ability to keep secret information safe.
These would be the nuclear launch codes that were set to 00000000?
http://gizmodo.com/for-20-years-the-nuclear-launch-code-at-u...
No thanks.
I think the decrypted data would probably be an easier target.
I was listening to the Senate hearing on Wednesday where they were asking the FBI director questions about this issue. They were talking about how they need to include the tech community in the conversation about how to best solve the problem of making sure the govt can access encrypted messages, etc. when they're conducting an investigation.
Senator McCain started asking questions about how it was possible to maintain citizens' privacy, but at the same time be able to access private data. Then he made it clear what his feelings were on the subject. Basically, his argument boiled down to "But, ISIS!".
"Is ISIS trying to kill Americans?", he asked the FBI director. The director said "yes". Then he said that b/c of ISIS, the govt has to be able to access keys so they can read encrypted data.
Well, "But, ISIS!" is not a real argument, that should be clear.
Backdoors make the situation worse, not better. We'll still have ISIS, we'll be even less secure, and we'll have lost whatever is left of our right to privacy.
Pretty much a lose-lose for everyone involved (except maybe ISIS).
The answer to "But, ISIS!" is not backdoors, it's foreign policy.
Yeah, he sounded very out of touch and demonstrated very little understanding of the implications of having a government backdoor.
US Foreign Policy is not considered to be a matter for democratic concern and consideration. Any time it's brought up as a reason, it's always to be translated to "because we said so and we're the only ones who have the power to affect it."
US Gov isn't a monolith. Interesting to think about in light of all of the recent articles on HN about the challenges of building out microservices or SOA. Just with human action instead of 10gig fiber, eventual consistency takes a lot longer, if it ever happens.
You're right, it's not. More attack surface area.
Sure, you could in theory have a highly distributed system with multiple keys, but then you can't use it day to day for monitoring communications, which is the whole purpose of the backdoor.
The government may be able to keep the nuclear codes safe in such a fashion, but it wouldn't if ten different government agencies wanted to use them on a daily basis.
Security is a hard thing for large organizations. Much of the time they simply don't have the expertise they need to know what their vulnerabilities are.
With a straight face. The cognitive dissonance is strong.
Half of us came here to say this.
We should keep saying it to our reprehensatives in Congress.
No surprises there.
I get deeply frustrated (though I understand where they are coming from) when governments make the argument that they can't take advantage of this or that cloud service because the service's security isn't vetted. Clearly, the security in the backing systems owned by the government isn't sufficiently vetted either, so they're sacrificing velocity for non-security.
I know, it's a flippant attitude. Blame a lousy day. ;)
There's quite a bit of u.s. government on amazon cloud. Using a cloud service doesn't magically give you better security.
This is more an indication of the NSA focusing too strongly on offensive/monitoring operations and not on information security, which is their job as well.
> This is more an indication of the NSA focusing too strongly on offensive/monitoring operations and not on information security, which is their job as well.
This is precisely how I feel about this kind of thing.
To my mind, the NSA should be working to make the security technologies used by American individuals, American companies, and the American government as strong and as free of vulnerabilities as possible. The necessary degree of transparency would, of course, mean any such improvements would be available to anyone in other countries, but I think that situation is far superior to our current climate where we suspect (and not as wild conspiracy theory) that our vulnerabilities were as likely created by the NSA as not.
Many American individuals—and presumably companies—consider the NSA an adversary simply because these individuals value their privacy and the NSA has shown only hostility toward Americans concerning their privacy. In some alternate universe, my own opinion of the NSA could have been positive had they been an agency focused on decreasing the risk of individuals' privacy being compromised.
At the very least, that they are not (apparently) presently sufficiently charged with assisting other branches of the government maintain security is a misallocation of talent.
> To my mind, the NSA should be working to make the security technologies used by American individuals, American companies, and the American government as strong and as free of vulnerabilities as possible.
Didn't NSA develop SELinux?
Edit: Heh, lets all avoid the fact that NSA created something insanely useful for the entire world. Nobody likes to think about these things. Hating is so much easier.
Yes, and for a time that was great. That and more is what they should be doing!
Instead, they have thrown away any trust and respect they had earned. Now they are feared.
fixermark was not claiming that cloud services would give better security, but that it's probably no worse.
Network security is not NSA's job. Nor is information security. Communications security is, but only for "national security information" (i.e. classified) and military communications.
Defense against "cyber attack" isn't even NSA's job, and where NSA participates in such endeavors that's on .mil, not .gov
DHS does have responsibility for cyber security on .gov however. But what is DHS supposed to do if OPM decides to throw open the keys to the kingdom to any random "authenticated" contractor handling background checks?
P.S. NSA might somehow have caught this despite everything I mentioned if they were engaged in better "monitoring operations" on other government networks and international communications relays... is that really what you want?
> NSA might somehow have caught this despite everything I mentioned if they were engaged in better "monitoring operations" on other government networks and international communications relays... is that really what you want?
I can think of a few million people who might have, yeah.
Don't get me wrong, I'd sign up for it if the alternative is 20+ million records of private data in the hands of an unfriendly state. But then I don't think that NSA is Literally Satan™ either.
Apologizes if I came off as snarky, I was in a bad mood. People want their privacy, and they also seem to "deserve" a reason why Victoria was fired from reddit. This un-acknowledged dichotomous ideology confuses me.
It's part of their information assurance program. https://www.nsa.gov/ia/index.shtml
Did you read the page you linked?
Try clicking on the "About IA at NSA" link and you'll find out what NSA means by "Information Assurance":
> NSA's Information Assurance Directorate (IAD) protects and defends National Security Information and Information Systems, in accordance with National Security Directive 42. National Security Systems are defined as systems that handle classified information or information otherwise critical to military or intelligence activities.
Or in other words, what I just said...
> information security, which is their job as well.
Is that really their job? It seems there might be a dozen other agencies responsible, ones less interested in foreign computer networks. Is that DISA's bailiwick? Perhaps NIST? Homeland Security? et cetera
https://www.nsa.gov/ia/index.shtml
Information assurance. Products and services for government and businesses.
Which if you click further around in that section of the NSA website, you'll find that NSA is only talking about information assurance of classified and sensitive military information, not any information handled anywhere in the government.
NSA name is National SECURITY Agency.
The agency that deals with intelligence (espionage) is the CIA, and the CIA do have their own cyber espionage systems, NSA not only is not doing their actual job, but they are being redundant.
You have no understanding of how work is dispersed within the U.S. intelligence community.
Which is fine, of course, but why are you trying to speak as if you have authoritative knowledge?
You say that NSA is responsible for cybersecurity within an HR agency because their name has "SECURITY" in it, and as far as I can tell this is meant completely seriously. So should NSA also be responsible for the military defense of the nation since their name has "SECURITY" in it? Should they regulate financial markets because their name has "SECURITY" in it?
In case you wish to know, NSA is responsible for (among other things) 'SIGINT' and 'ELINT'. CIA is responsible for 'HUMINT', 'OSINT', and many other fun things.
Both the NSA and CIA are foreign intelligence agencies, mostly due to historical accident. And of course there's an entirely separate DIA, which also exists mostly due to historical accident, but focuses mainly on military intelligence matters.
I submitted this a couple days ago... government slowing moving. http://www.logicworks.net/blog/2015/06/government-cloud-publ...
Yes, there's a whole portion of the Amazon Cloud that's run entirely for government (a family member is a higher-up at AWS Gov), and I have to assume they're also running private clouds with physical security, but I have no idea.
It's the GovCloud AWS region.
IIRC, GovCloud is available for general purpose usage by private companies, it's just expensive and not as flexible.
The goverment has known how to vet their systems since well before 1989, when I attended a class taught by a security consultant for the DoD.
For example, your aged grandfather used to run ethernet through pressurized conduit. If that pressure ever dropped some heavily armed men would turn up.
The IP packet header has fields for security classification as well as compartment. If I design warheads and you design rocket engines, our computers are in different compartments so the router between us will drop packets if you and I attempt to discuss our work. However I could invite you to lunch.
What Bradley Manning did was simply not possible. Or rather it would not have been without the Congressional COTS mandate: Common Off-The-Shelf Computers. Rather than design special hardware or write special software for military computing the avionics for the F-35 Joint Strike Fighter were purchased online from Alibaba.
Then why does Lockheed have hundreds of people involved with writing and testing avionics software for this aircraft? Why does Northrop Grumman have hundreds of engineers working on avionics hardware? Why does Lockheed Martin have an entire B737 that it heavily customized to test all of this hardware and software? https://en.wikipedia.org/wiki/Lockheed_Martin_CATBird
You have a wooden head.
...No need to be insulting and condescending. I understand that you were making a joke. But the fact is, your joke example was poorly chosen.
I can see your point.
However a problem we really do have is that we have lost our expertise. The COTS mandate lead to less demand for the kinds of engineers who could have prevented this breach.
My friend Murray Sims is a naval civil service coder. He rang me up once to beg me to work for the navy:
"People are dying because of software bugs."
Id love to but I get a little loopy sometimes so have no hope of getting a clearance, instead I write technical articles.
I admit I was a little saddened to be insulted by someone whose work I admire.
Your friend definitely has a point. People are dying because of software bugs. And process bugs. And outdated hardware.
I agree with you that we have lost our expertise. I think the defense industry in general has a demographics problem. There's a lot of old guys who are about to retire. A lot of young, inexperienced people. And not enough of the mid-career engineers.
Is there some way I could do military computing without a clearance?
I applied to the US Air Force Cyber Command as well as all manner of military computer security jobs. I received but one response, that my application to be an encryption machine trainer was declined.
I am not an absolute authority on this. But my decade of experience in the defense industry tells me "probably not".
Then I expect the best contribution I could make is to continue writing.
I was an unclassified subcontractor once. The primary contractor selected me for my expertise with "the part".
What he should have done was to ask me to select the vendor. The part I was asked to write code for had quite a serious design flaw.
Please do continue writing. I enjoy your writing very much.
Your Wish Is My Command:
tl;dr: I shall withhold sex until the computer industry fixes its product defects.I State This That It May Be Rejected: The Lysistrata Manifesto http://www.warplife.com/manifestos/lysistrata/
It was plainly apparent who "the clint" was.
That got on my nerves.
"'The client' is really, really happy with all the prototype boards that we just soaked The American Taxpayer for."
"Great. Please tell 'The Client' that YOU SELECTED THE WRONG "PART!"
Click.
I have the idea that I could offer the consulting service of selecting 'The Parts' to the extent they are unclassified. They often are. But I dont have the first clue as to how to get started. Among my concerns is that some contractors dont want to pay someone to tell them how to avoid cost overruns.
I offer my heartfelt and humble apology for insulting you.
That was not my intention though I do understand why you took it that way.
I intended to insult the United States Congress.
A well-met insult. The government is putting itself into a corner with their current policies on hiring criteria. If you have an idea on how to change that, I'd support you however I could. If it matters, I really admire your apology, not many people have the "balls/vagina/both/neither" to admit, at the very least, a mis-interpretation of a comment.
Their hiring criteria are ridiculous. Every job I have ever applied for through USAJobs and other government systems (NASA STARS, US Navy CHART, and several others I cannot remember the names of at the moment) has resulted in a rejected application.
NASA's system told me that I was not qualified to work on rocket telemetry systems, even though I was then working as a telemetry engineer for the prime contractor on the NSROC II sounding rocket contract.
The Navy's system told me that I was not qualified to work on aircraft instrumentation and telemetry systems for NAVAIR, even though one of my past jobs was as an aircraft instrumentation and telemetry systems engineer for NAVAIR.
My wife has similar anecdotal experiences. She applied for a job with the federal government requiring experience as a K-12 biology teacher. She was rejected even though she worked as a high school biology teacher for almost a decade and won several national awards and two educational fellowships.
I have lots of ideas as to how to change that; the problem is not unique to the government.
Real Soon anow http://wew.warplife.com/jobs/ will redirect to a domain that my brother in law will register for me because my reputation for speaking my mind has made me completely unemployable.
Thank you for your apology. I see how I misunderstood.
Humor is not allowed on HN. It's for our own protection - most of the people here are so autistic a simple ironic statement could lead to the end of the internet as the HN readers spaz out all at once.
Government is full of cargo-cult policymaking. I assume it's a combination of no real qualifications to get a job making policy combined with that seductive feeling of giving orders.
When are we going to move from a nine-digit number to something a little more secure for identity? I effectively want a public key and a private key and require signing of forms submitted as me.
edit: Freely provide easy to use tools for doing the signing and verification, and for people who still aren't savvy enough to do it themselves, train notaries to do it.
The issue here is not that SSNs are used for identity (which is what they SHOULD be used for), but rather that they are used for authentication, which is retarded beyond belief. https://technet.microsoft.com/en-us/library/cc512578.aspx
Presumably, the Chinese and some random hackers now have every piece of relevant data on my life that could ever be used for at least the initial validation of my identity - up to and including my fingerprints. For repeat authentication it's not an issue but parts of this go way beyond SSNs.
You may be interested to see Estonia's advancement in this direction: http://estonia.eu/about-estonia/economy-a-it/e-estonia.html
I'm immensely jealous of Estonia's ability to rebuild their infrastructure from the ground up. I know we'll never have that chance in the US, but if we did, we could build something truly incredible, especially now that government is slowly starting to understand the benefits of the "lean startup" model (I say that loosely).
The worst of this is that I had just taken a government job when the 4.2 million person breach was claimed to have happened. I had very serious concerns about giving out so much (and it was an absolute ton, more than any other employer I've ever worked for) information. I had thought about not taking the job but like many Americans I really didn't have much of a choice. The choice was homelessness and perhaps even going to court for failing to pay my obligations, or a nice comfy job and pay.
Why does the government need so much data on its employees; that's what should be asked!
> Why does the government need so much data on its employees; that's what should be asked!
I don't know if you had to get a clearance or not, and if you did, what kind. But assuming that you did get a clearance, they need all of this information because they need to build up a psychological, emotional, familial, and financial profile of you to determine how much of a risk you are. At least, that is what the government will tell you is the reason why they investigate you so much.
You can request a copy of the investigation the US government performs on you (whether you are a government employee or a contractor with a clearance) through a form you can find on the website of the Office of Personnel Management. Although, hilariously, they will censor some of the information about you that they find. That is a window into what their thinking is, because you see who they talk to, what questions they ask, and how people responded.
Yes, that's the worse part of this.
Before you start shitting on OPM and the like, is this any different than what would happen if a dedicated attacker came after the most valuable data in your company?
Clearly, OPM should know, but omg is the state of security poor.
>is this any different than what would happen if a dedicated attacker came after the most valuable data in your company?
My company didn't compile detailed background information about my "sexual misconduct", or spend money trying to detail the ways in which I might be blackmailed.
So yeah, it's a little different.
And not only your information - that 21.5 million figure given for the clearance database is 1 in 15 people in the entire United States population.
What I'd like to know is how this information failed to warrant even the level of protection mandated for medical records - according to at least one major news source, the data wasn't even encrypted. The standard criteria in the US for "top secret" classification is described as material having the potential to cause "exceptionally grave damage" to the national security of the nation. A database of information pertaining to a process designed to collect all information potentially usable for coercion (blackmail, social ties, etc) of all the individuals in the most sensitive positions of the government, should have been classified and protected at the Top Secret level.
Frankly, the outrage I've seen so far is not nearly enough for the scale of the irresponsibility here. I firmly believe the director and CIO of the OPM should not only be removed from office, they should be subject to criminal charges for mishandling information that clearly _should_ have been classified.
> is this any different than what would happen if a dedicated attacker came after the most valuable data in your company?
Well, most SF/HN startups data wouldn't get people killed if leaked to the wrong hands, whereas OPM had sensitive information on spies/foreign agents/etc where that is a serious possibility.
The question I'm curious about is what if a Silicon Valley style startup was going to start a company holding ID information for gov workers? Including potentially identities of people whose livelihood depends on secrecy. I'd imagine they would be investing quite heavily in security. But it is plausible even that wouldn't stop nation-state attackers...
This hack occurred well over a year ago. The DoD knows exactly how many people this affected as it was informing its employees to be wary of the implications of this (telling their kids to watch out for Chinese blackmail, potential social engineering attempts with more informed information from the data dump). I am honestly surprised this story took this long to be discovered.
There is a petition on whitehouse.gov to get free identity theft insurance coverage for life: https://petitions.whitehouse.gov/petition/provide-lifetime-i...
The NSA was slow in adapting to the Internet. Also, US cyberwar efforts have been too focused on offense. They've assumed technological superiority. That was safe 20 years ago (maybe even 10) but it's clearly not safe now.
So did anyone get fired?
A loyal employee that made a mistake is still a valuable employee. We should focus on prevention and obviation (you can't steal what isn't there) over severe punishments.
This wasn't just a single employee that made a single mistake.
The Navy is happy to fire commanding officers for calling out sailors who show up late for physical training because it's embarrassing to the sailor, and yet it seems like we can't get anything close to that kind of accountability elsewhere.
It's not so much that Archuleta 'let this happen' (since I guarantee they would be hacked anyways), but the defensive efforts prior to this happening were even worse than you'd expect for government, and the response efforts since have almost been worse!
Archuleta is a party hack who got what was supposed to be a patronage position. There are thousands of them the parties use to reward, you know, county canvassers after a successful campaign.
She should definitely be fired, not so much for what she allowed to happen per se, but because she doesn't have anything like the background she needs to do the job with which she's been entrusted.
AWS Govcloud has a very small subset of AWS public features. Enough to get the job done though. Most importantly, it complies to all the FedRAMP, ITAR standards. The Government is just inherently slow in adopting and leveraging AWS's awesome infrastructure.
What's problematic about this is clearance data usually involves investigators asking questions of references of the applicant: "Do you know anything that could be used to blackmail the applicant into revealing confidential information?" If that sort of info was saved (even for those rejected clearance because they DID find something) and stolen in this hack, that could be rough going for a lot of folks.
https://www.clearancejobs.com/security_clearance_faq.pdf
"What will I be asked during a security clearance interview? During a ESI, the investigator will cover every item on your clearance application and have you confirm the accuracy and completeness of the information. You will be asked about a few matters that are not on your application, such as the handling of protected information, susceptibility to blackmail, and sexual misconduct. You will be asked to provide details regarding any potential security/suitability issues. During a SPIN, the investigator will only cover the security/suitability issue(s) that triggered the SPIN. The purpose of the SPIN is to afford the applicant the opportunity to refute or to confirm and provide details regarding the issue(s)."
More:
http://www.navytimes.com/story/military/2015/06/17/sf-86-sec...
"They got everyone's SF-86," one Pentagon official familiar with the investigation told Military Times.
"The SF-86, a 127-page document, asks government employees to disclose information about family members, friends and past employment as well as details on alcohol and drug use, mental illness, credit ratings, bankruptcies, arrest records and court actions."
..
http://news.clearancejobs.com/2015/06/13/sf-86-stolen-opm-ha...
"The entirety of at least some SF-85 and SF-86 background investigations held on OPM servers were breached, meaning sensitive data including relatives, spouses, and sensitive information on everything from mental health counseling to sexual behavior is now in the hands of the Chinese government."
And if you're really bored:
This is why they say anyone in government or contractor work should get at job that will get them a clearance ASAP once they're out of school. Someone fresh out of school has a hell of a lot less history for the gov't to ask about and record than someone who's in their 40s.
So what if the red bastards get the file of someone who's 22yo and just out of school? Chances are it's 90% OSInt anyway.
I would like to ask a question, but its real. How many of you yes and no, would be willing to go to war knowing that China is making a record of every single interesting person in the United States? Would you physically be willing to go to war over that fact? They are literally profiling us and it seems like the average US citizen gives 2 shits.
Ha, I guess they can join the team of the tech companies and other government agencies around the world doing the same. All of which is going to be increasingly available to the public.
The naked babies uploaded by their parents and parents friends today will be very familiar with the way the world will be, for it will all they would have known on some personal level beyond the grandparents of that time ranting on how good things used to be and wanting to allocate resources for destruction of others for such banal causes, despite the hypocrisies as their robot aids wipe the slobber from their mouths…
Your response was out of left field. What was the point you were trying to make?