
Why the US federal employee record breach is worse than others - caseysoftware
http://caseysoftware.com/blog/why-this-security-breach-is-worse-than-all-the-others-combined
======
meesterdude
What a mess, but does highlight the fact that you know, when you gather a lot
of information on people, you become a target. They really just do all the
hard work, and make it easy for the criminals.

Obviously, a huge blunder of government, totally irresponsible and reckless
that such a massive breach was even possible. And it happened in dec 2014, and
they only just now found out. A team of amateurs could do better than that.

I know data security is hard, but maybe if the government spent money on
proper protections of people's data instead of building data centers to spy on
it's citizens, this wouldn't have happened. But it's clear that's not what
their priorities are.

Really, just disgusted by this.

That said, what did they do wrong? what should they have done, that they
didn't do? Getting hacked seems like an eventuality at some level. What can an
organization do to protect such sensitive information, or at least reduce
their exposure and the amount of data that is able to be leaked before
detection?

Seems like you'd have to partition up your data at some level, maybe encrypt
it at rest; but I don't know how far one has to go.

~~~
EthanHeilman
>I know data security is hard, but maybe if the government spent money on
proper protections of people's data instead of building data centers to spy on
it's citizens, this wouldn't have happened.

The Gozer Principal: in Information Security you get to design the weapon that
will be used against you [1]. Don't build a tool you are unwilling to hand to
your greatest enemy.

For example what happens when foreign governments steal the domestic bulk
surveillance data? I bet the NSA accidentally hoovers up all sorts of top
secret information that is just accidentally sent over the wire or non-
classified data that could do great damage to US interests. Or what happens
when a foreign government gains access to the tools used to perform this bulk
collection? They could inject fake traffic or hide traffic for strategic
deception campaigns.

Collect it all is a strategically empty slogan, it represents a serious risk
to US national security, but on the other hand it is a wonderful Rice Bowl [2]
for the NSA.

>What can an organization do to protect such sensitive information, or at
least reduce their exposure and the amount of data that is able to be leaked
before detection?

* Keep it offline/airgapped.

* Store the most dangerous data on paper with hashes replicated online to insure integrity.

* Delete information you don't need anymore.

* Do not have a centralized repository of data to reduce risk of catastrophic exposure.

There are always trade offs between usability, functionality and security.

[1]:
[https://twitter.com/ethan_heilman/status/510993743156375552](https://twitter.com/ethan_heilman/status/510993743156375552)

[2]:
[https://en.wikipedia.org/wiki/Iron_rice_bowl#Other_uses](https://en.wikipedia.org/wiki/Iron_rice_bowl#Other_uses)

~~~
munin
all of your points totally undermine the benefits of centralization and
computerization. perhaps that is the point and that there are some things that
should just not be digitized or made "easy to do," but security people also
recognize that security is often not the end goal. creating a usable system
where the reward outweighs the risk is the goal. if the reward, despite this
risk/vulnerability, is still very high, then we'll probably keep doing it.

your points are what you would want to do if you wanted to make an ideally
secure system, but nobody wants only an ideally secure system...

~~~
jeffbr13
> … but nobody wants only an ideally secure system

Indeed! The ideally secure system would be one which doesn't exist/doesn't
have ANY interface, much like the perfect computer which doesn't perform any
IO with the rest of the world.

~~~
s_q_b
"The only truly secure system is one that is powered off, cast in a block of
concrete and sealed in a lead-lined room with armed guards... and even then I
have my doubts."

\- Prof. Gene "Spaf" Spafford

------
leroy_masochist
It's really bad. I was a Russian major and spent my junior year there. I
subsequently went on to jobs in the military / IC that required an SCI
clearance as well as a couple of additional SAP screenings.

I carefully listed the Russians I knew under penalty of perjury. I've lost
touch with most of them. I wasn't trying to turn them into agents, and they
were patriotic Russians who liked me despite, not because of, me being
American. The fact that they might be getting FSB attention now is sickening.

The fucking government, man. It really blows your mind sometimes.

~~~
jacquesm
What on earth were you thinking?

To expand a bit on that: any job that requires you to list the names of random
people that you've had contact with in the past should be avoided like the
bloody plague, there is _nothing_ that those people have done to warrant you
putting their name into some form and subsequent database with unknown
consequences for the people you decide to list.

They're not sheep to be offered up on the altar of your ambition to rise up in
the ranks, absolutely _nothing_ good could ever come for them. So if the
penalty is perjury just walk, that way you don't perjure yourself.

~~~
jonwachob91
Only they weren't random people, they were people he knew. And if you knew
anything about getting a Clearance in the States a lot of it is based on how
truthful you are on your SF-86 - List you use to be addicted to
methamphetamine and you might still get a clearance, lie about that one time
you smoked pot and you lose any hope of getting a clearance. It's done to
smoke out any "snowdens" and "mannings" who are trying to get a clearance for
things other than wanting a job. (Not that manning or snowden joined to leak
intelligence, but many have tried and many have been rejected).

~~~
jacquesm
Way to go to mis-interpret that: random people as in 'people that you simply
come in contact with during everyday life'.

It's not as if any of those people had a way of controlling who they came in
contact with. Life is built up out of tons of coincidences and who you know is
rarely a matter of deliberation, far more often it is random chance that
causes you to know one person and not to know another.

~~~
jonwachob91
Random is the Russian I sat next to on a flight to NYC and never talked to /
connected with again.

Random is NOT the guy I went to school with in Moscow and would fly back to
russia for a wedding for.

The OP didn't say which group he'd classify his friends in, but if he thought
it was pertinent enough to list them, than he had a close enough relationship
to warrant listing them. Cause when OPM/FBI find out that you went to school
for a year in Moscow and you didn't list any acquiescence's, they'll raise
some flags and find what you are hiding.

------
protomyth
Perhaps if the press had actually reported on the Department of Interior's
antics[1][2] surrounding Cobell v. Salazar[3][4], we could have brought to
public a discussion of our governments handling of sensitive data. A whole
department was removed from the internet[5], should have been a wake up call
for data handling. I don't remember it being covered in the tech press of the
time.

1) [http://www.internetnews.com/bus-
news/article.php/1562181/Cou...](http://www.internetnews.com/bus-
news/article.php/1562181/Court+Seeks+Inquiry+Into+BIA+Internet+Use.htm)

2)
[http://www.indianz.com/News/show.asp?ID=pol01/1262001-1](http://www.indianz.com/News/show.asp?ID=pol01/1262001-1)

3)
[https://en.wikipedia.org/wiki/Cobell_v._Salazar](https://en.wikipedia.org/wiki/Cobell_v._Salazar)

4)
[http://fcnl.org/issues/nativeam/chronology_of_the_department...](http://fcnl.org/issues/nativeam/chronology_of_the_department_of_interior_trust_scandal/)

5) This also for a time included all Native American colleges including those
that were buying their own line and charted by the tribe and not the BIA. It
left students without access to distance learning classes and research beyond
small libraries. It was hellish on students.

------
jbuzbee
OK - Anyone for a funny story regarding filling out an SF-86?

As part of the clearance process, your co-workers are interviewed regarding
your work-habits, perceived integrity, etc. We had one woman, "Mary", in the
office who was a bit of a busy-body, listening in on phone calls, other
people's conversations, etc. One day she overheard another young woman, co-
worker "Jane" talking on the phone regarding meeting her boyfriend John at the
airport. In order to embarrass him, Jane and a friend were going to dress up
like hookers, hang all over him etc. Only Mary didn't hear the whole story and
became convinced that Jane was really involved in prostitution and was going
to meet a John at the airport. So when investigators were working on Jane's
clearance, Mary flat-out told them that Jane was a practicing prostitute on
the side. I'm sure these investigators hear it all, but I can only guess that
this was a memorable interview. Of course when the investigator confronted
Jane with the accusation that she was a hooker, she flipped out. Mary and
Jane's relationship was never quite the same after than..

~~~
devonkim
A lot of investigators are completely incompetent and the job has one of the
lowest pay of any cleared jobs out there. My investigator didn't realize I was
male until he had interviewed a friend of mine and corrected him.

------
Animats
This is a huge breach, and it will have repercussions for a generation. Nobody
thought of the Office of Personnel Management as security critical.
Previously, OPM has been criticized for not being computerized enough. OPM
exists as a unit to centralize personnel records across agencies, all of which
once had their own systems. Their retirement operation is still paper-based
and located in a mine in Pennsylvania.[1]

Apparently, they succeeded in centralizing security clearance data. Then, of
course, it had to be made available to all the security agencies. Remember the
demands after 9/11 for "tearing down the walls" between the law enforcement
and security communities? That means lots of people able to access databases
in other agencies. Of course, people will want to access the data from the
field on their mobile device.

[1]
[http://www.washingtonpost.com/sf/national/2014/03/22/sinkhol...](http://www.washingtonpost.com/sf/national/2014/03/22/sinkhole-
of-bureaucracy/)

~~~
mpyne
Not just that, but how do these disparate government agencies verify that so-
and-so checking into the local agency office is actually cleared for SECRET or
TS or whatever?

They have to look it up somehow. That lookup will likely involve a computer
database, and the pathway to reach that database will likely involve the
Internet.

Practically all the rest of this sad story follows immediately, because the
whole strategy of how the government handles computerized records in general
is all screwed up.

Even after this I'm not sure it will get better... the trend in government is
for inexorable centralization of related information. At the same time there's
incredible demand to have those work-related systems available online and all
the time, so that people can work while on duty travel, or from home.

Obviously there are technical things that can be done to mostly have our cake
and eat it too (VPNs, redacted mirrors/views of the sensitive central database
to be made available across the public Internet, etc.). But no one gets
promoted in the government for doing that, and much of the talent is at Google
or Facebook or Silicon Valley anyways :P.

------
jbuzbee
Well if this includes the entire SF-86 database, then I guess it includes me.
And I realize there's nothing I can do about it, so I guess I'm not sweating.
Life goes on. If it really was the Chinese behind it, then the data likely
won't ever end up dumped on pastebin or wherever.

The SF-86 form gets very, very personal, so I can imagine that some folks will
be panicked, but reading my form would be a yawner. Maybe I need to get out
more :-)

~~~
termain
Is it the entire SF-86 database, including contractors? Or just government
employees?

~~~
caseysoftware
OP here.

 _Everybody_

The first sentence of the article I linked to: "The Chinese breach of the
Office of Personnel Management network was wider than first acknowledged, and
officials said Friday that a database holding sensitive security clearance
information on millions of federal employees and contractors also was
compromised."

------
peterkelly
I truly hope this will make all NSA employees that have worked on mass
surveillance infrastructure come to understand the importance of privacy, and
reconsider their participation in the similarly intrusive but far more large-
scale crimes that their own organisation is guilty of.

~~~
gohrt
It would be fascinating if foriegn intelligence agents were to use this
information against NSA agents in some way.

~~~
jacquesm
The more likely way in which this will be used is by targeting those abroad
who have been in contact with the US intelligence community. A bit like what
they accused wikileaks of doing with the cablegate release.

------
logn
I don't get why this is a big deal. If the people don't have anything to hide,
they shouldn't be worried. That they're so concerned is highly suspicious and
indicative of loose morals. China is just protecting its national security and
has a right to do so.

~~~
growupkids
I think you're missing the point, and would mind if we all went through your
financial, medical and personal records. These records are made available to
OPM under what are supposed to be strict privacy controls, because it's very
very personal information. Everything from divorces, psychological counseling,
drug history, you name it. You open up every secret in your life to scrutiny
to demonstrate that despite all that you can be trusted. None of that is
anyone's business, and it supposed to be protected and only available to a
small number of people for a period of time to determine if you can be
trusted.

Everyone has things in their lives they'd rather not have made public because
it's nobodies business, and this compromise just betrayed the trust all those
people put in the US government.

~~~
scintill76
Grandparent post may have been parodying the "nothing to hide = nothing to
fear" argument that's used to support ubiquitous surveillance etc.

------
bsder
And this, boys and girls, is why you _DELETE_ valuable, sensitive information
when you don't need it anymore.

But, deleting information might result in an error of commission which would
have your signature on it rather than an error of omission which has no one
readily blameable. So, no one in the organization will ever sign off on it.

~~~
andreyf
Or you could archive it on an air gapped network and delete it from all
systems connected to the internet. Seems like a relatively simple procedure
that I imagine is in use all the time with sensitive data...

------
prmurphy
Makes me wonder about their kind offer to centralize all our health records.

~~~
GabrielF00
FWIW, I recently had to get the records of a medical test that was performed
when I was a teenager. All I had to do was fax the hospital a form with my
date of birth, approximate year the test was done, and a signature, and they
sent the records to me in the mail. Absolutely terrifying.

~~~
radicalbyte
I've been working in the industry for 6 months, and so far I've learnt that
having a data-of-birth, post-code and surname is all you ever need.

..and that for twins, having the same post-code can be fatal..

------
gmuslera
NSA security breach was several orders worse. Instead of getting all the
sensitive information of 4 million US citizens with some ties with their
government, it got sensitive information of 4 billion world citizens, and keep
getting it because the backdoors, mass information collection, network
interception and so on is still running. The elephant in the room is not just
big, but pretty smelly too.

------
tdicola
Doesn't this breach pretty much invalidate anyone who has ever had a security
clearance? A bad actor who got ahold of the data could find people in
sensitive positions and blackmail them with the sensitive information in their
security clearance history. How can anyone be trusted going forward?

~~~
blazespin
If you have something you can be blackmailed over you can't get security
clearance. The info, however, does facilitate identity theft and KBA type
auth. It'd be easier to pose as someone who does have clearance, which
undermines the system.

------
borski
They collect the info in order to obtain anything a foreign operative could
use to blackmail you. The kicker? OPM also stores the results of the
Polygraphs. Were they accessed? I don't know.

------
justinsingh
Fragile data such as this needs to not only be prevented from being stolen,
but also needs to be of no use to a hacker even if it is stolen. Only then can
we truly be robust to error.

------
Zigurd
The sheer number of people with clearances who are now at risk of blackmail
and other untoward influence has everyone saying how terrible it is. OK.
Obviously.

But what about the obvious fix: Pull clearances from everyone who does not
need one. I mean really NEED. There are hundreds of thousands of schlubs with
clearances only because the paperwork they have access to is classified higher
than FOUO. And that classification is the product of self-importance and ass-
coverage.

------
sandycheeks
I have been watching this unfold wondering if any of the data compromised was
part of the Personnel Reliability Program.

[https://en.wikipedia.org/wiki/Personnel_Reliability_Program](https://en.wikipedia.org/wiki/Personnel_Reliability_Program)

Has anything been said about this?

------
blazespin
This probably sounds very awful but part of me really really really hopes that
the vulnerability at the source of this was caused by one of the NSA programs
to undermine security. Maybe then the sheeple will wake the freak up.

------
slyrus
"These days it's all secrecy and no privacy"

------
DennisP
I'm wondering whether this information could make it easier to accomplish
significant social engineering hacks.

------
DonGateley
Has any of this purloined information appeared anywhere or is there any
evidence yet of it being used?

------
stox
There was only one truly secure system, but then the Big Bang happened.

------
mkramlich
The flip-side of this story? Imagine what the NSA is doing. Imagine how much
information the NSA is slurping up, on everybody, 24x7. Now... assuming their
databases are an even more attractive target to hackers/criminals. Now assume
that the folks who design/build/maintain/operate the NSA's are just as human
as you and I, and therefore, are still prone to making just that one "oopsie"
kind of mistake in their defenses. When that happens? All that data they slurp
up falls into the hands of the hackers, criminals, people who mean you harm,
etc.

Only part of the danger of what the NSA is doing due to the "what if
government turns evil" scenario.

The other danger is the "what if hackers/scumbags/criminals get hold of it"
scenario.

Only one of those scenarios has to happen, in order for it to hurt you. And
the NSA has the very biggest pot of gold at rainbow's end,
PII/fraud/blackmail-wise, of any of these systems to date. Contemplate that.
Fear that. Take political action. Make day-to-day choices based on that.

~~~
janesvilleseo
I sure this will put me on some list, but you are right. They have a ton of
information. It's probably just a matter of time before they get hacked. The
question is by whom and for what purpose. It would be interesting if it was
done as an act of civil disobedience.

------
GizaDog
Im sure there was a USB backdoor open somewhere. So who's fault is it if the
US can't protect its own data? Blame others! That seems to be the way they
operate!

------
spacko
> ... names of neighbors and close friends.

Why for christs sake do they even collect this data in the first place? This
is not a database on felons or potential terrorists ... why does the
government care about the neighbours of their employees???

~~~
modeless
This is a database of potential Snowdens. The "intelligence community" is a
strange, puritanical, paranoid sort of place. It wouldn't be so bad if it
hadn't grown so preposterously large.

~~~
jbuzbee
Note that this is far larger than the "intelligence community". This would
include everyone from janitors who empty the trash in secure facilities to
accountants, to mechanical engineers who design pumps for nuclear facilities,
to web designers who write database front-ends, etc, etc, etc. And to say all
of these folks are "puritanical, paranoid" is a very limited viewpoint.

~~~
modeless
If you filled out an SF86 it's because the "intelligence community" demanded
it. That doesn't mean you're personally puritanical or paranoid; you're just
subjected to the requirements of people who are; people who have altogether
too much power and influence these days. And now those requirements have come
back to bite you.

~~~
jbuzbee
As more clarification, this is not just relevant for the "intelligence
community", i.e. the three-letter-agencies. It would also apply to folks at
various National Laboratories, Army bases, NASA, etc. And even for
universities doing government-sponsored research. When I worked at Cal-Tech
associated Jet Propulsion Laboratory, plenty of people had clearances.

~~~
modeless
We are using different definitions of the words "intelligence community". To
me, if you have a clearance then that makes you part of the "intelligence
community" regardless of whether your salary is paid by NSA, NASA, a defense
contractor, a national lab, the Army, a university, or whatever.

~~~
mpyne
If your definition of "intelligence community" includes NASA or random low-
level soldiers just trying to keep their planned operations out of the hands
of their adversaries, then I'd submit that your definition of "intelligence
community" is functionally useless. Just say "clearance holders" if that's
what you mean... there's already a very precise definition of "intelligence
community" as it pertains to the U.S. anyways.

