
Office of Personnel Management Says Hackers Got Data of Millions of Individuals - mrmaddog
http://www.nytimes.com/2015/07/10/us/office-of-personnel-management-hackers-got-data-of-millions.html?smid=nytnow-share&smprod=nytnow&_r=0
======
murbard2
And yet, tomorrow they'll have no qualms making the case that, of course, the
government can securely keep backdoor keys to investigate encrypted
communications.

~~~
mpyne
Have the secret backdoor keys for Dual EC DRBG leaked yet? Nuclear launch
codes and authenticators?

Analogies are useful but don't get carried away, especially when talking about
something as broad as "the government" (as if it were one singular thing). The
fact that a BLM federal officer lost his firearm doesn't instantly mean that
all of our Tomahawk cruise missiles are next to be stolen.

~~~
Lx1oG-AWb6h_ZG0
What the hell are you on about?

The closest thing to the proposed encryption backdoor is the clipper chip
proposal of the 90s, and that did have severe vulnerabilities that the authors
completely overlooked.

And I'd recommend you watch John Oliver's segment about nuclear launch codes
to recalibrate your trust in those officials. We've come scarily close to
Armageddon multiple times over the last few decades, which was prevented only
by sheer dumb luck. Just because it's the scariest thing known to man doesn't
mean the people responsible for it aren't incompetent.

------
fixermark
No surprises there.

I get deeply frustrated (though I understand where they are coming from) when
governments make the argument that they can't take advantage of this or that
cloud service because the service's security isn't vetted. Clearly, the
security in the backing systems owned by the government isn't sufficiently
vetted either, so they're sacrificing velocity for non-security.

I know, it's a flippant attitude. Blame a lousy day. ;)

~~~
comrade1
There's quite a bit of u.s. government on amazon cloud. Using a cloud service
doesn't magically give you better security.

This is more an indication of the NSA focusing too strongly on
offensive/monitoring operations and not on information security, which is
their job as well.

~~~
mpyne
Network security is not NSA's job. Nor is information security.
_Communications_ security is, but only for "national security information"
(i.e. classified) and military communications.

Defense against "cyber attack" isn't even NSA's job, and where NSA
participates in such endeavors that's on .mil, not .gov

DHS _does_ have responsibility for cyber security on .gov however. But what is
DHS supposed to do if OPM decides to throw open the keys to the kingdom to any
random "authenticated" contractor handling background checks?

P.S. NSA might somehow have caught this despite everything I mentioned if they
were engaged in better "monitoring operations" on other government networks
and international communications relays... is that really what you want?

~~~
irishcoffee
> NSA might somehow have caught this despite everything I mentioned if they
> were engaged in better "monitoring operations" on other government networks
> and international communications relays... is that really what you want?

I can think of a few million people who might have, yeah.

~~~
mpyne
Don't get me wrong, _I 'd_ sign up for it if the alternative is 20+ million
records of private data in the hands of an unfriendly state. But then I don't
think that NSA is Literally Satan™ either.

~~~
irishcoffee
Apologizes if I came off as snarky, I was in a bad mood. People want their
privacy, and they also seem to "deserve" a reason why Victoria was fired from
reddit. This un-acknowledged dichotomous ideology confuses me.

------
hamburglar
When are we going to move from a nine-digit number to something a little more
secure for identity? I effectively want a public key and a private key and
require signing of forms submitted as me.

edit: Freely provide easy to use tools for doing the signing and verification,
and for people who still aren't savvy enough to do it themselves, train
notaries to do it.

~~~
grumio
You may be interested to see Estonia's advancement in this direction:
[http://estonia.eu/about-estonia/economy-a-
it/e-estonia.html](http://estonia.eu/about-estonia/economy-a-
it/e-estonia.html)

~~~
dimino
I'm immensely jealous of Estonia's ability to rebuild their infrastructure
from the ground up. I know we'll never have that chance in the US, but if we
did, we could build something truly incredible, especially now that government
is slowly starting to understand the benefits of the "lean startup" model (I
say that loosely).

------
bitJericho
The worst of this is that I had just taken a government job when the 4.2
million person breach was claimed to have happened. I had very serious
concerns about giving out so much (and it was an absolute ton, more than any
other employer I've ever worked for) information. I had thought about not
taking the job but like many Americans I really didn't have much of a choice.
The choice was homelessness and perhaps even going to court for failing to pay
my obligations, or a nice comfy job and pay.

Why does the government need so much data on its employees; that's what should
be asked!

~~~
engi_nerd
> Why does the government need so much data on its employees; that's what
> should be asked!

I don't know if you had to get a clearance or not, and if you did, what kind.
But assuming that you did get a clearance, they need all of this information
because they need to build up a psychological, emotional, familial, and
financial profile of you to determine how much of a risk you are. At least,
that is what the government will tell you is the reason why they investigate
you so much.

You can request a copy of the investigation the US government performs on you
(whether you are a government employee or a contractor with a clearance)
through a form you can find on the website of the Office of Personnel
Management. Although, hilariously, they will censor some of the information
about you that they find. That is a window into what their thinking is,
because you see who they talk to, what questions they ask, and how people
responded.

------
dguido
Before you start shitting on OPM and the like, is this any different than what
would happen if a dedicated attacker came after the most valuable data in
_your_ company?

Clearly, OPM should know, but omg is the state of security poor.

~~~
FooNull
>is this any different than what would happen if a dedicated attacker came
after the most valuable data in your company?

My company didn't compile detailed background information about my "sexual
misconduct", or spend money trying to detail the ways in which I might be
blackmailed.

So yeah, it's a little different.

~~~
mokus
And not only your information - that 21.5 million figure given for the
clearance database is 1 in 15 people in the entire United States population.

What I'd like to know is how this information failed to warrant even the level
of protection mandated for medical records - according to at least one major
news source, the data wasn't even encrypted. The standard criteria in the US
for "top secret" classification is described as material having the potential
to cause "exceptionally grave damage" to the national security of the nation.
A database of information pertaining to a process designed to collect all
information potentially usable for coercion (blackmail, social ties, etc) of
all the individuals in the most sensitive positions of the government, should
have been classified and protected at the Top Secret level.

Frankly, the outrage I've seen so far is not nearly enough for the scale of
the irresponsibility here. I firmly believe the director and CIO of the OPM
should not only be removed from office, they should be subject to criminal
charges for mishandling information that clearly _should_ have been
classified.

------
aburan28
This hack occurred well over a year ago. The DoD knows exactly how many people
this affected as it was informing its employees to be wary of the implications
of this (telling their kids to watch out for Chinese blackmail, potential
social engineering attempts with more informed information from the data
dump). I am honestly surprised this story took this long to be discovered.

------
melipone
There is a petition on whitehouse.gov to get free identity theft insurance
coverage for life: [https://petitions.whitehouse.gov/petition/provide-
lifetime-i...](https://petitions.whitehouse.gov/petition/provide-lifetime-
identity-protection-federal-employees-who-were-victimized-breach-opm)

------
mirimir
The NSA was slow in adapting to the Internet. Also, US cyberwar efforts have
been too focused on offense. They've assumed technological superiority. That
was safe 20 years ago (maybe even 10) but it's clearly not safe now.

------
codesilverback
So did anyone get fired?

~~~
stephengillie
A loyal employee that made a mistake is still a valuable employee. We should
focus on prevention and obviation (you can't steal what isn't there) over
severe punishments.

~~~
mpyne
This wasn't just a single employee that made a single mistake.

The Navy is happy to fire commanding officers for calling out sailors who show
up late for physical training because it's embarrassing to the sailor, and yet
it seems like we can't get anything close to that kind of accountability
elsewhere.

It's not so much that Archuleta 'let this happen' (since I guarantee they
would be hacked anyways), but the defensive efforts prior to this happening
were even worse than you'd expect for government, and the response efforts
since have almost been worse!

~~~
tsotha
Archuleta is a party hack who got what was supposed to be a patronage
position. There are thousands of them the parties use to reward, you know,
county canvassers after a successful campaign.

She should definitely be fired, not so much for what she allowed to happen per
se, but because she doesn't have anything like the background she needs to do
the job with which she's been entrusted.

------
ebel
AWS Govcloud has a very small subset of AWS public features. Enough to get the
job done though. Most importantly, it complies to all the FedRAMP, ITAR
standards. The Government is just inherently slow in adopting and leveraging
AWS's awesome infrastructure.

------
justonepost
What's problematic about this is clearance data usually involves investigators
asking questions of references of the applicant: "Do you know anything that
could be used to blackmail the applicant into revealing confidential
information?" If that sort of info was saved (even for those rejected
clearance because they DID find something) and stolen in this hack, that could
be rough going for a lot of folks.

[https://www.clearancejobs.com/security_clearance_faq.pdf](https://www.clearancejobs.com/security_clearance_faq.pdf)

"What will I be asked during a security clearance interview? During a ESI, the
investigator will cover every item on your clearance application and have you
confirm the accuracy and completeness of the information. You will be asked
about a few matters that are not on your application, such as the handling of
protected information, susceptibility to blackmail, and sexual misconduct. You
will be asked to provide details regarding any potential security/suitability
issues. During a SPIN, the investigator will only cover the
security/suitability issue(s) that triggered the SPIN. The purpose of the SPIN
is to afford the applicant the opportunity to refute or to confirm and provide
details regarding the issue(s)."

More:

[http://www.navytimes.com/story/military/2015/06/17/sf-86-sec...](http://www.navytimes.com/story/military/2015/06/17/sf-86-security-
clearance-breach-troops-affected-opm/28866125/)

"They got everyone's SF-86," one Pentagon official familiar with the
investigation told Military Times.

"The SF-86, a 127-page document, asks government employees to disclose
information about family members, friends and past employment as well as
details on alcohol and drug use, mental illness, credit ratings, bankruptcies,
arrest records and court actions."

..

[http://news.clearancejobs.com/2015/06/13/sf-86-stolen-opm-
ha...](http://news.clearancejobs.com/2015/06/13/sf-86-stolen-opm-hack/)

"The entirety of at least some SF-85 and SF-86 background investigations held
on OPM servers were breached, meaning sensitive data including relatives,
spouses, and sensitive information on everything from mental health counseling
to sexual behavior is now in the hands of the Chinese government."

And if you're really bored:

[https://www.opm.gov/Forms/pdf_fill/sf86.pdf](https://www.opm.gov/Forms/pdf_fill/sf86.pdf)

~~~
dsfyu404ed
This is why they say anyone in government or contractor work should get at job
that will get them a clearance ASAP once they're out of school. Someone fresh
out of school has a hell of a lot less history for the gov't to ask about and
record than someone who's in their 40s.

So what if the red bastards get the file of someone who's 22yo and just out of
school? Chances are it's 90% OSInt anyway.

------
spoiledtechie
I would like to ask a question, but its real. How many of you yes and no,
would be willing to go to war knowing that China is making a record of every
single interesting person in the United States? Would you physically be
willing to go to war over that fact? They are literally profiling us and it
seems like the average US citizen gives 2 shits.

~~~
cinquemb
Ha, I guess they can join the team of the tech companies and other government
agencies around the world doing the same. All of which is going to be
increasingly available to the public.

The naked babies uploaded by their parents and parents friends today will be
very familiar with the way the world will be, for it will all they would have
known on some personal level beyond the grandparents of that time ranting on
how good things used to be and wanting to allocate resources for destruction
of others for such banal causes, despite the hypocrisies as their robot aids
wipe the slobber from their mouths…

~~~
spoiledtechie
Your response was out of left field. What was the point you were trying to
make?

