Another thread that I think offers some context a bit less 'scary' than this [1]. Most of the stuff the invaders could of had easy access to - eg in a Member's office - is not that important, consider what is leaked to the press strategically for politics every day.
I'd be more concerned about listening devices especially key committee Members and staff e.g. foreign relations LAs
I don't have firsthand knowledge of the non-classified working computers of Congress but maybe someone can confirm if IT used SolarWinds and their network is already compromised.
* also individual Member offices are treated basically like businesses in a lot of ways. e.g. the Member can contract/share hire their own IT helpers too. i can't find a source quickly but a few years ago remember the article about some guy working for a few Dems being a dumb ass
* * I'll also add that almost any US citizen can get a meeting inside a Member's office. A house member directly or with a staffer. I'm sure there are a ton of listening devices that metal detectors wouldn't find and that are quick to place surreptitiously
> almost any US citizen can get a meeting inside a Member's office
Indeed, most days you can just walk directly into any senator's or member's office. Maybe leadership has different rules, I haven't tested that, but I had no trouble strolling into Ron Wyden's office. So anything you can get through the building metal detectors (which really aren't very sensitive, they're just looking for weapons) you could take in and surreptitiously drop off.
Is it though? I was having this discussion with a friend last night. If I were IT for the Capitol, I would already be operating under the assumption that all the clients are hostile.
There are constantly visitors to the Capitol, including foreign visitors who could easily be spies. Also, the Members themselves are often old, anti-tech, and not the kind of people who will remember to lock their screen when they get up. I would already assume Member computers are a huge attack vector, and act accordingly.
> I would already be operating under the assumption that all the clients are hostile.
You can't operate assuming all computers in the Capitol are hostile. How are the members supposed to do work if their computers are assumed hostile? Why even give them computers then?
> I would already assume Member computers are a huge attack vector, and act accordingly.
What would "acting accordingly" look like for you in that example scenario you outlined.
The last 5+ years of leaks from politicians should have taught us that something doesn't need to be classified to be highly damaging to both the individual and the nation.
I would counter and say that those who reacted most fervently to COVID were the quickest to recover and those who were most blasé and dismissive are paying the price. New Zealand went immediately to stage 4 “where you sleep tonight is where you must stay” and their efforts have been admired.
> I wonder if there's a psychological reasoning underneath.
boredom
A safe, regulated, mechanically functioning society day after day is boring as hell†. Catastrophe is one of the easiest changes to imagine and fantasize about. Which is probably also why dystopian cyberpunk is more popular than utopian sci-fi.
† If you don't get enough leisure time or have enough activities to fill it with.
Humans are special because of our ability to forecast and run scenarios. You can "practice" dangerous situations in your mind -- a great tool to mitigate them if they arise!
This can go to an extreme, of course. People seek security by modeling everything, playing it all out, and trying to prevent bad things from happening.
It's normal human behavior that is supercharged by modern information overload.
The one person who almost got into an area where they really didn't want people was shot dead. This guy's acting like the rioters breached a SCIF or something. The Capitol building is (was, normally) open to the public.
Multiple computers belonging to congressmen/their aides have been reported accessed or stolen (https://thehill.com/homenews/senate/533162-merkley-says-capi...). Someone posted a picture of Nancy Pelosi's email client, stole mail and left a threatening note in her office. Other private chambers were vandalized (https://twitter.com/SenJeffMerkley/status/134703950452849868...). Can anyone really confirm that there were zero foreign agents among the thousands of rioters who accessed the building? Let's not pretend what happened was normal.
This is something that surprises me about the whole thing. Wouldn't the chambers full of Very Important People who are presumably targets of many an angry/deranged person be among those highly sensitive areas? When I heard that these people were breaking down barriers and potentially storming the Capitol building, I thought surely they would stop as soon as they foolishly approached the chambers and started getting shot dead. When I was so much as standing across the street from the White House, where all the protesters hang out, I assumed I basically had a red dot on my head, so I should be careful what I do.
> The one person who almost got into an area where they really didn't want people was shot dead.
Wait, what is the context on this? I saw the footage once before I knew she died. It honestly looked like law enforcement with guns coming up the stairs, and it looked like a crowd of people, not a woman acting alone. What area of the building was that that was extra-sensitive?
EDIT: I see now, other angles are easy to find. Trying to climb through a blockaded entry point as guns were already pointed at her...
In the video I saw of the person who got shot, it looked like she was climbing into a room that already had both police and other rioters inside - is that incorrect? I’ve also seen pictures of people inside Pelosi’s office, including on her unlocked computer with emails displayed (albeit I assume these weren’t confidential - the only one mentioned was about the security breach).
> The one person who almost got into an area where they really didn't want people was shot dead.
The videos showing her get shot had several police in the area and they never looked like they were very interested in protecting that area before she was shot.
having worked for the US gvt, though not in legislature or dept of state, PIV cards were always required to access a gvt machine, and leaving your PIV inserted while absent from the room was, in theory, a serious offense.
Are congress critters and others not required to use ID cards when accessing gvt networks?
Different agencies have different IT systems at the federal level. The PIV cards used by the DOD and some other departments are not universal within the executive branch, and the legislative and judicial branches manage their own IT systems (sometimes still managing it locally rather than having any kind of centralized system). Government IT is very much a set of feudal territories still and many of them are not well or consistently managed.
The rules for the executive branch are fairly rigorous. The legislative branch, not so much. There's a huge difference in scale: the executive branch employs some 4 million folks, the legislative branch just 35K.
Just the picture of Pelosi's desktop indicates there's no automatic screenlock, which is a fairly low bar as controls go.
My understanding is that each legislator is like an independent client and is able to run basically whatever IT they want as far as the unclassified (yet still sensitive of course) stuff goes. Given that, I'm betting the shared IT group is basically just recommending best practices and hoping people are listening.
Access to the Capitol isn't very restricted. People who are handling top secret information know that very well; that said, plenty of personally compromising information can usually be found on any given personal computer.
Obviously all computers left around in offices should be considered unsafe. Confidential information may have been leaked.
But Capitol has SCIF's for storing top secret information and committee meetings that deal with classified information. You can't bring your own laptops or even phones to them.
This is a nightmare no doubt, but the IT security angle is so far down the list of concerns it's not even visible. If every machine, piece of infrastructure and password has to be changed, every log audited by a hundred people for a year?
I am reminded of Watergate, which I think a lot of people don't realize was about planting wiretaps in the Democratic National Committee headquarters. It led to Nixon's resignation and it has left us with a legacy of adding "-gate" onto the end of all kinds of things (a la "GamerGate").
As a child, I knew Watergate was a scandal that impacted the presidency. I think I was an adult before I learned it involved wiretapping. I remember being rather surprised to learn some of the details as an adult.
I've seen a lot of this kind of concern, but people should keep in mind that the capitol is already a semi-public space, and is treated as such. The devices I'd really worry about if they were compromised are people's personal phones, which presumably they had on their person.
A note for context: a friend of mine who works in the capitol brought me along one day and asked me to wait in the minority leader's antechamber (a large room like a hotel conference room) for a few minutes while a vote was called. There were various bits of CAT-5 sticking out of the wall and I was unsupervised for nearly a half hour. Various people came and went and paid me no heed. I can't imagine I'm the first or last person to have been in that situation.
TL;DR special secure facilities exist for a reason. The Capitol is used to randos.
This is a tad ironic. It's like backhandedly saying "we're so great that foreign nations wouldn't miss a chance to spy on us" but at the same time this great nation allowed its Capitol building to be ravished by a group of citizens. There are infinitely bigger concerns about this event than what this thread presents.
Are there security cameras? If so (assuming footage wasn't tampered with), then you can maybe narrow down the locations where people actually did have physical access.
They need to toss everything and start again. Safer, and probably faster. But I expect they'll just turn back on and resume using everything not ruined by piss.
The previous non-violent protests over the last few years that took place in the Capitol also had protesters present in all of the same places, including the chambers.
As such this is not a new situation, but it's interesting that devious motives are attributed when the protester has a particular set of politics, or because they were successful in breaking past security whereas previous protesters attempted and failed.
[+] [-] dillondoyle|5 years ago|reply
I'd be more concerned about listening devices especially key committee Members and staff e.g. foreign relations LAs
I don't have firsthand knowledge of the non-classified working computers of Congress but maybe someone can confirm if IT used SolarWinds and their network is already compromised.
* also individual Member offices are treated basically like businesses in a lot of ways. e.g. the Member can contract/share hire their own IT helpers too. i can't find a source quickly but a few years ago remember the article about some guy working for a few Dems being a dumb ass
* * I'll also add that almost any US citizen can get a meeting inside a Member's office. A house member directly or with a staffer. I'm sure there are a ton of listening devices that metal detectors wouldn't find and that are quick to place surreptitiously
https://twitter.com/ericgeller/status/1347226499930230785
[+] [-] rootusrootus|5 years ago|reply
Indeed, most days you can just walk directly into any senator's or member's office. Maybe leadership has different rules, I haven't tested that, but I had no trouble strolling into Ron Wyden's office. So anything you can get through the building metal detectors (which really aren't very sensitive, they're just looking for weapons) you could take in and surreptitiously drop off.
[+] [-] xtracto|5 years ago|reply
Or better yet, placing an annoyatron on key offices of members of the party you don't like.
[+] [-] jedberg|5 years ago|reply
There are constantly visitors to the Capitol, including foreign visitors who could easily be spies. Also, the Members themselves are often old, anti-tech, and not the kind of people who will remember to lock their screen when they get up. I would already assume Member computers are a huge attack vector, and act accordingly.
[+] [-] bszupnick|5 years ago|reply
[+] [-] _Microft|5 years ago|reply
[+] [-] admax88q|5 years ago|reply
You can't operate assuming all computers in the Capitol are hostile. How are the members supposed to do work if their computers are assumed hostile? Why even give them computers then?
> I would already assume Member computers are a huge attack vector, and act accordingly.
What would "acting accordingly" look like for you in that example scenario you outlined.
[+] [-] anothernewdude|5 years ago|reply
[+] [-] watwut|5 years ago|reply
[+] [-] cpascal|5 years ago|reply
https://twitter.com/ericgeller/status/1347226499930230785
Obviously that doesn't change the fact that the entire building should be considered compromised and scrubbed.
[+] [-] slg|5 years ago|reply
[+] [-] enw|5 years ago|reply
Greatly overestimating security impacts, the impacts of COVID, aggressive "new normal" lockdown proponents, militant preppers, etc.
Paradoxically, I think some might feel more secure when they are the messengers of chaos. I wonder if there's a psychological reasoning underneath.
[+] [-] taitems|5 years ago|reply
[+] [-] Razengan|5 years ago|reply
boredom
A safe, regulated, mechanically functioning society day after day is boring as hell†. Catastrophe is one of the easiest changes to imagine and fantasize about. Which is probably also why dystopian cyberpunk is more popular than utopian sci-fi.
† If you don't get enough leisure time or have enough activities to fill it with.
[+] [-] smt88|5 years ago|reply
This can go to an extreme, of course. People seek security by modeling everything, playing it all out, and trying to prevent bad things from happening.
It's normal human behavior that is supercharged by modern information overload.
[+] [-] jaywalk|5 years ago|reply
[+] [-] paxys|5 years ago|reply
[+] [-] orblivion|5 years ago|reply
[+] [-] tunesmith|5 years ago|reply
Wait, what is the context on this? I saw the footage once before I knew she died. It honestly looked like law enforcement with guns coming up the stairs, and it looked like a crowd of people, not a woman acting alone. What area of the building was that that was extra-sensitive?
EDIT: I see now, other angles are easy to find. Trying to climb through a blockaded entry point as guns were already pointed at her...
[+] [-] saargrin|5 years ago|reply
now they gonna check everything for possible keyloggers or whatnot
and theres no way of knowing if any computer was left unlocked and might have had something installed on it
[+] [-] thinkmassive|5 years ago|reply
https://en.wikipedia.org/wiki/Sensitive_Compartmented_Inform...
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] mcintyre1994|5 years ago|reply
[+] [-] meragrin_|5 years ago|reply
The videos showing her get shot had several police in the area and they never looked like they were very interested in protecting that area before she was shot.
[+] [-] jmiter|5 years ago|reply
having worked for the US gvt, though not in legislature or dept of state, PIV cards were always required to access a gvt machine, and leaving your PIV inserted while absent from the room was, in theory, a serious offense.
Are congress critters and others not required to use ID cards when accessing gvt networks?
[+] [-] Jtsummers|5 years ago|reply
[+] [-] jnwatson|5 years ago|reply
Just the picture of Pelosi's desktop indicates there's no automatic screenlock, which is a fairly low bar as controls go.
[+] [-] SolarNet|5 years ago|reply
[+] [-] chipsa|5 years ago|reply
[+] [-] wnoise|5 years ago|reply
[+] [-] chefkoch|5 years ago|reply
[+] [-] TT3351|5 years ago|reply
[+] [-] nabla9|5 years ago|reply
But Capitol has SCIF's for storing top secret information and committee meetings that deal with classified information. You can't bring your own laptops or even phones to them.
[+] [-] alkonaut|5 years ago|reply
Tiny damage in comparison in context.
[+] [-] DoreenMichele|5 years ago|reply
As a child, I knew Watergate was a scandal that impacted the presidency. I think I was an adult before I learned it involved wiretapping. I remember being rather surprised to learn some of the details as an adult.
https://en.wikipedia.org/wiki/Watergate_scandal
[+] [-] idlewords|5 years ago|reply
A note for context: a friend of mine who works in the capitol brought me along one day and asked me to wait in the minority leader's antechamber (a large room like a hotel conference room) for a few minutes while a vote was called. There were various bits of CAT-5 sticking out of the wall and I was unsupervised for nearly a half hour. Various people came and went and paid me no heed. I can't imagine I'm the first or last person to have been in that situation.
TL;DR special secure facilities exist for a reason. The Capitol is used to randos.
[+] [-] curiousgal|5 years ago|reply
[+] [-] m3kw9|5 years ago|reply
[+] [-] qwantim1|5 years ago|reply
And why do they even need offices in the capitol building at this point? Everything could be done online.
[+] [-] Ericson2314|5 years ago|reply
However, if congress can learn a bit about the pitfalls of commonplace devices, that would be nice.
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] adrianmonk|5 years ago|reply
[+] [-] moonbug|5 years ago|reply
[+] [-] fareesh|5 years ago|reply
As such this is not a new situation, but it's interesting that devious motives are attributed when the protester has a particular set of politics, or because they were successful in breaking past security whereas previous protesters attempted and failed.
[+] [-] nosmokewhereiam|5 years ago|reply
[+] [-] sybercecurity|5 years ago|reply