And yet, tomorrow they'll have no qualms making the case that, of course, the government can securely keep backdoor keys to investigate encrypted communications.
Have the secret backdoor keys for Dual EC DRBG leaked yet? Nuclear launch codes and authenticators?
Analogies are useful but don't get carried away, especially when talking about something as broad as "the government" (as if it were one singular thing). The fact that a BLM federal officer lost his firearm doesn't instantly mean that all of our Tomahawk cruise missiles are next to be stolen.
I was listening to the Senate hearing on Wednesday where they were asking the FBI director questions about this issue. They were talking about how they need to include the tech community in the conversation about how to best solve the problem of making sure the govt can access encrypted messages, etc. when they're conducting an investigation.
Senator McCain started asking questions about how it was possible to maintain citizens' privacy, but at the same time be able to access private data. Then he made it clear what his feelings were on the subject. Basically, his argument boiled down to "But, ISIS!".
"Is ISIS trying to kill Americans?", he asked the FBI director. The director said "yes". Then he said that b/c of ISIS, the govt has to be able to access keys so they can read encrypted data.
US Gov isn't a monolith. Interesting to think about in light of all of the recent articles on HN about the challenges of building out microservices or SOA. Just with human action instead of 10gig fiber, eventual consistency takes a lot longer, if it ever happens.
I get deeply frustrated (though I understand where they are coming from) when governments make the argument that they can't take advantage of this or that cloud service because the service's security isn't vetted. Clearly, the security in the backing systems owned by the government isn't sufficiently vetted either, so they're sacrificing velocity for non-security.
I know, it's a flippant attitude. Blame a lousy day. ;)
There's quite a bit of u.s. government on amazon cloud. Using a cloud service doesn't magically give you better security.
This is more an indication of the NSA focusing too strongly on offensive/monitoring operations and not on information security, which is their job as well.
The goverment has known how to vet their systems since well before 1989, when I attended a class taught by a security consultant for the DoD.
For example, your aged grandfather used to run ethernet through pressurized conduit. If that pressure ever dropped some heavily armed men would turn up.
The IP packet header has fields for security classification as well as compartment. If I design warheads and you design rocket engines, our computers are in different compartments so the router between us will drop packets if you and I attempt to discuss our work. However I could invite you to lunch.
What Bradley Manning did was simply not possible. Or rather it would not have been without the Congressional COTS mandate: Common Off-The-Shelf Computers. Rather than design special hardware or write special software for military computing the avionics for the F-35 Joint Strike Fighter were purchased online from Alibaba.
Government is full of cargo-cult policymaking. I assume it's a combination of no real qualifications to get a job making policy combined with that seductive feeling of giving orders.
When are we going to move from a nine-digit number to something a little more secure for identity? I effectively want a public key and a private key and require signing of forms submitted as me.
edit: Freely provide easy to use tools for doing the signing and verification, and for people who still aren't savvy enough to do it themselves, train notaries to do it.
The issue here is not that SSNs are used for identity (which is what they SHOULD be used for), but rather that they are used for authentication, which is retarded beyond belief. https://technet.microsoft.com/en-us/library/cc512578.aspx
Presumably, the Chinese and some random hackers now have every piece of relevant data on my life that could ever be used for at least the initial validation of my identity - up to and including my fingerprints. For repeat authentication it's not an issue but parts of this go way beyond SSNs.
The worst of this is that I had just taken a government job when the 4.2 million person breach was claimed to have happened. I had very serious concerns about giving out so much (and it was an absolute ton, more than any other employer I've ever worked for) information. I had thought about not taking the job but like many Americans I really didn't have much of a choice. The choice was homelessness and perhaps even going to court for failing to pay my obligations, or a nice comfy job and pay.
Why does the government need so much data on its employees; that's what should be asked!
> Why does the government need so much data on its employees; that's what should be asked!
I don't know if you had to get a clearance or not, and if you did, what kind. But assuming that you did get a clearance, they need all of this information because they need to build up a psychological, emotional, familial, and financial profile of you to determine how much of a risk you are. At least, that is what the government will tell you is the reason why they investigate you so much.
You can request a copy of the investigation the US government performs on you (whether you are a government employee or a contractor with a clearance) through a form you can find on the website of the Office of Personnel Management. Although, hilariously, they will censor some of the information about you that they find. That is a window into what their thinking is, because you see who they talk to, what questions they ask, and how people responded.
Before you start shitting on OPM and the like, is this any different than what would happen if a dedicated attacker came after the most valuable data in your company?
Clearly, OPM should know, but omg is the state of security poor.
>is this any different than what would happen if a dedicated attacker came after the most valuable data in your company?
My company didn't compile detailed background information about my "sexual misconduct", or spend money trying to detail the ways in which I might be blackmailed.
> is this any different than what would happen if a dedicated attacker came after the most valuable data in your company?
Well, most SF/HN startups data wouldn't get people killed if leaked to the wrong hands, whereas OPM had sensitive information on spies/foreign agents/etc where that is a serious possibility.
The question I'm curious about is what if a Silicon Valley style startup was going to start a company holding ID information for gov workers? Including potentially identities of people whose livelihood depends on secrecy. I'd imagine they would be investing quite heavily in security. But it is plausible even that wouldn't stop nation-state attackers...
This hack occurred well over a year ago. The DoD knows exactly how many people this affected as it was informing its employees to be wary of the implications of this (telling their kids to watch out for Chinese blackmail, potential social engineering attempts with more informed information from the data dump). I am honestly surprised this story took this long to be discovered.
The NSA was slow in adapting to the Internet. Also, US cyberwar efforts have been too focused on offense. They've assumed technological superiority. That was safe 20 years ago (maybe even 10) but it's clearly not safe now.
A loyal employee that made a mistake is still a valuable employee. We should focus on prevention and obviation (you can't steal what isn't there) over severe punishments.
AWS Govcloud has a very small subset of AWS public features. Enough to get the job done though. Most importantly, it complies to all the FedRAMP, ITAR standards. The Government is just inherently slow in adopting and leveraging AWS's awesome infrastructure.
What's problematic about this is clearance data usually involves investigators asking questions of references of the applicant: "Do you know anything that could be used to blackmail the applicant into revealing confidential information?" If that sort of info was saved (even for those rejected clearance because they DID find something) and stolen in this hack, that could be rough going for a lot of folks.
"What will I be asked during a security clearance interview?
During a ESI, the investigator will cover every item on your clearance application and have you confirm the
accuracy and completeness of the information. You will be asked about a few matters that are not on your
application, such as the handling of protected information, susceptibility to blackmail, and sexual misconduct.
You will be asked to provide details regarding any potential security/suitability issues.
During a SPIN, the investigator will only cover the security/suitability issue(s) that triggered the SPIN. The
purpose of the SPIN is to afford the applicant the opportunity to refute or to confirm and provide details
regarding the issue(s)."
"They got everyone's SF-86," one Pentagon official familiar with the investigation told Military Times.
"The SF-86, a 127-page document, asks government employees to disclose information about family members, friends and past employment as well as details on alcohol and drug use, mental illness, credit ratings, bankruptcies, arrest records and court actions."
"The entirety of at least some SF-85 and SF-86 background investigations held on OPM servers were breached, meaning sensitive data including relatives, spouses, and sensitive information on everything from mental health counseling to sexual behavior is now in the hands of the Chinese government."
This is why they say anyone in government or contractor work should get at job that will get them a clearance ASAP once they're out of school. Someone fresh out of school has a hell of a lot less history for the gov't to ask about and record than someone who's in their 40s.
So what if the red bastards get the file of someone who's 22yo and just out of school? Chances are it's 90% OSInt anyway.
I would like to ask a question, but its real. How many of you yes and no, would be willing to go to war knowing that China is making a record of every single interesting person in the United States? Would you physically be willing to go to war over that fact? They are literally profiling us and it seems like the average US citizen gives 2 shits.
Ha, I guess they can join the team of the tech companies and other government agencies around the world doing the same. All of which is going to be increasingly available to the public.
The naked babies uploaded by their parents and parents friends today will be very familiar with the way the world will be, for it will all they would have known on some personal level beyond the grandparents of that time ranting on how good things used to be and wanting to allocate resources for destruction of others for such banal causes, despite the hypocrisies as their robot aids wipe the slobber from their mouths…
murbard2|10 years ago
mpyne|10 years ago
Analogies are useful but don't get carried away, especially when talking about something as broad as "the government" (as if it were one singular thing). The fact that a BLM federal officer lost his firearm doesn't instantly mean that all of our Tomahawk cruise missiles are next to be stolen.
metaobject|10 years ago
Senator McCain started asking questions about how it was possible to maintain citizens' privacy, but at the same time be able to access private data. Then he made it clear what his feelings were on the subject. Basically, his argument boiled down to "But, ISIS!".
"Is ISIS trying to kill Americans?", he asked the FBI director. The director said "yes". Then he said that b/c of ISIS, the govt has to be able to access keys so they can read encrypted data.
dikaiosune|10 years ago
themartorana|10 years ago
a3n|10 years ago
We should keep saying it to our reprehensatives in Congress.
fixermark|10 years ago
I get deeply frustrated (though I understand where they are coming from) when governments make the argument that they can't take advantage of this or that cloud service because the service's security isn't vetted. Clearly, the security in the backing systems owned by the government isn't sufficiently vetted either, so they're sacrificing velocity for non-security.
I know, it's a flippant attitude. Blame a lousy day. ;)
comrade1|10 years ago
This is more an indication of the NSA focusing too strongly on offensive/monitoring operations and not on information security, which is their job as well.
MichaelCrawford|10 years ago
For example, your aged grandfather used to run ethernet through pressurized conduit. If that pressure ever dropped some heavily armed men would turn up.
The IP packet header has fields for security classification as well as compartment. If I design warheads and you design rocket engines, our computers are in different compartments so the router between us will drop packets if you and I attempt to discuss our work. However I could invite you to lunch.
What Bradley Manning did was simply not possible. Or rather it would not have been without the Congressional COTS mandate: Common Off-The-Shelf Computers. Rather than design special hardware or write special software for military computing the avionics for the F-35 Joint Strike Fighter were purchased online from Alibaba.
oldmanjay|10 years ago
hamburglar|10 years ago
edit: Freely provide easy to use tools for doing the signing and verification, and for people who still aren't savvy enough to do it themselves, train notaries to do it.
hyperion2010|10 years ago
flatline|10 years ago
grumio|10 years ago
bitJericho|10 years ago
Why does the government need so much data on its employees; that's what should be asked!
engi_nerd|10 years ago
I don't know if you had to get a clearance or not, and if you did, what kind. But assuming that you did get a clearance, they need all of this information because they need to build up a psychological, emotional, familial, and financial profile of you to determine how much of a risk you are. At least, that is what the government will tell you is the reason why they investigate you so much.
You can request a copy of the investigation the US government performs on you (whether you are a government employee or a contractor with a clearance) through a form you can find on the website of the Office of Personnel Management. Although, hilariously, they will censor some of the information about you that they find. That is a window into what their thinking is, because you see who they talk to, what questions they ask, and how people responded.
comrade1|10 years ago
unknown|10 years ago
[deleted]
dguido|10 years ago
Clearly, OPM should know, but omg is the state of security poor.
FooNull|10 years ago
My company didn't compile detailed background information about my "sexual misconduct", or spend money trying to detail the ways in which I might be blackmailed.
So yeah, it's a little different.
dmix|10 years ago
Well, most SF/HN startups data wouldn't get people killed if leaked to the wrong hands, whereas OPM had sensitive information on spies/foreign agents/etc where that is a serious possibility.
The question I'm curious about is what if a Silicon Valley style startup was going to start a company holding ID information for gov workers? Including potentially identities of people whose livelihood depends on secrecy. I'd imagine they would be investing quite heavily in security. But it is plausible even that wouldn't stop nation-state attackers...
aburan28|10 years ago
melipone|10 years ago
mirimir|10 years ago
codesilverback|10 years ago
stephengillie|10 years ago
ebel|10 years ago
justonepost|10 years ago
https://www.clearancejobs.com/security_clearance_faq.pdf
"What will I be asked during a security clearance interview? During a ESI, the investigator will cover every item on your clearance application and have you confirm the accuracy and completeness of the information. You will be asked about a few matters that are not on your application, such as the handling of protected information, susceptibility to blackmail, and sexual misconduct. You will be asked to provide details regarding any potential security/suitability issues. During a SPIN, the investigator will only cover the security/suitability issue(s) that triggered the SPIN. The purpose of the SPIN is to afford the applicant the opportunity to refute or to confirm and provide details regarding the issue(s)."
More:
http://www.navytimes.com/story/military/2015/06/17/sf-86-sec...
"They got everyone's SF-86," one Pentagon official familiar with the investigation told Military Times.
"The SF-86, a 127-page document, asks government employees to disclose information about family members, friends and past employment as well as details on alcohol and drug use, mental illness, credit ratings, bankruptcies, arrest records and court actions."
..
http://news.clearancejobs.com/2015/06/13/sf-86-stolen-opm-ha...
"The entirety of at least some SF-85 and SF-86 background investigations held on OPM servers were breached, meaning sensitive data including relatives, spouses, and sensitive information on everything from mental health counseling to sexual behavior is now in the hands of the Chinese government."
And if you're really bored:
https://www.opm.gov/Forms/pdf_fill/sf86.pdf
dsfyu404ed|10 years ago
So what if the red bastards get the file of someone who's 22yo and just out of school? Chances are it's 90% OSInt anyway.
spoiledtechie|10 years ago
cinquemb|10 years ago
The naked babies uploaded by their parents and parents friends today will be very familiar with the way the world will be, for it will all they would have known on some personal level beyond the grandparents of that time ranting on how good things used to be and wanting to allocate resources for destruction of others for such banal causes, despite the hypocrisies as their robot aids wipe the slobber from their mouths…