
US hit by 'massive data breach' - alan_cx
http://www.bbc.co.uk/news/world-us-canada-33017310
======
dpcan
I feel like we need to change our direction in terms of "identity" all
together.

We seem to be relying on an "identity" that is our name, ssn, phone number,
credit card number, or all these different little bits of data clumped
together. Too messy, too easy to steal, to fake, to easy to sell.

Maybe our identity is more like a bitcoin wallet. It's an encrypted clump of
data that we only keep with ourselves, and ourselves alone. It could store
money, confirm that we are who we say we are because it can have our picture
in it, our names, our "numbers" for various things.

Then, when someone needs ANYTHING from us, be it proof of identity, money, or
trivial info, we can send them a piece of useless information salted with
something that they then return to us with the same salt to get back a
confirmation, or money, or access to "use" our other numbers, but they never
GET our other numbers.

If you want my phone number, you send a request to me asking for it. I get the
request, confirm it, send back another piece of data to you. This is NOT my
phone number, but something you can use to send to me again in the future when
you want to call me, and then my number is dialed, but you never see it. At
any time, I can wipe you off my safe list, and you don't have my phone number
anymore. Same thing can work when paying for something, or proving I am who I
say I am when getting a loan, buying beer, whatever.

Maybe this is ridiculous.

~~~
skwirl
What happens when your "identity wallet" gets stolen?

~~~
natrius
_" You pick eight entities; they may be your friends, your employer, some
corporation, nonprofit or even in the future a government, and if anything
goes wrong a combination of five of them can recover your key. This concept of
social multi-signature backup is perhaps one of the most powerful mechanisms
to use in any kind of decentralized system design, and provides a very high
amount of security very cheaply and without relying on centralized trust."_

[https://blog.ethereum.org/2015/04/13/visions-part-1-the-
valu...](https://blog.ethereum.org/2015/04/13/visions-part-1-the-value-of-
blockchain-technology/)

If you're not paying attention to Ethereum, you're missing out on the biggest
story in technology ever. They're building systems that combine cryptographic
identities and a global tamper-proof execution environment to bring the costs
of interacting with any stranger on the planet to nearly zero. Every large
organization on the planet (i.e. companies and governments) formed as a
reaction to today's levels of transaction costs. Eliminating those transaction
costs will reshape our society in ways that increase liberty and wealth. You
can build the software that helps make that happen. My email's in my profile
for anyone who wants help getting started or learning more.

~~~
SixSigma
I don't have 8 entities I can rely on to be contactable.

------
SCAQTony
Huge data breech and the FBI is screaming from an Ivory tower that encryption
is hallmark of all evil and that backdoors are a really good idea.

""Privacy, above all other things, including safety and freedom from
terrorism, is not where we want to go..."" FBI Associate director Michael
Steinbach

~~~
themeek
The USG reserves the use of backdoor-free software and strong encryption for
itself, so I'm not sure that this is a worry with regard to the recent data
breach.

The FBI means that consumers and foreign markets should not have encryption or
backdoor-free software. I understand that this is a double standard, but we
need to be clear that the double standard doesn't have to do with this most
recent breach.

~~~
Zigurd
That's not really how it has worked. CAs can't be trusted because, in part,
the USG wants to corrupt them as needed. Encryption systems get weakened
because the NSA wants to be able to break them. Vulns don't get reported. Etc.
It isn't a "double standard." The tech industry well has been poisoned in the
same of surveillance.

~~~
linkregister
> CAs can't be trusted because, in part, the USG wants to corrupt them as
> needed

Has this happened? Or did a U.S. government official slip up and admit the
future intention publicly? (I wouldn't be surprised)

The only CA corruption I've heard of was a MOIS/VAJA operation against
DigiNotar and a corporation overstepping its agreement with a CA by abusing a
delegate root CA.

~~~
themeekforgotpw
Oh yeah, CAs have been broken for decades. I remember reporting way back on
Room 641A at AT&T having shadow certs.

------
jacinda
As a former government contractor, I wish I could say I'm surprised.
Unfortunately, computer/network security in many government agencies
frequently has more to do with policy documents than with anyone technical
actually determining whether the system is secure.

~~~
yellowapple
Which explains why the FBI thinks backdooring encryption is a good idea,
despite it being the literal opposite of one.

------
jsingleton
Bit short currently. Looks like more detail from these sources:

[http://mashable.com/2015/06/04/data-breach-
hack/](http://mashable.com/2015/06/04/data-breach-hack/)

[http://www.washingtonpost.com/world/national-
security/chines...](http://www.washingtonpost.com/world/national-
security/chinese-hackers-breach-federal-governments-personnel-
office/2015/06/04/889c0e52-0af7-11e5-95fd-d580f1c5d44e_story.html)

~~~
sehugg
Ars too: [http://arstechnica.com/security/2015/06/federal-agency-
hit-b...](http://arstechnica.com/security/2015/06/federal-agency-hit-by-
chinese-hackers-around-4-million-employees-affected/)

------
bashinator
* cyber attack * cybersecurity system * cyber-intrusion * cyber databases (twice!) * cyber threat

Use of the word "cyber" adds virtually no insight or context to this article.

~~~
bhauer
"Cyber databases" was the clincher for me. At least all of the others are
using the adjective to (ostensibly) distinguish from a more general version of
the same. A cyber-attack versus a straight-up physical attack. A cyber-
intrusion versus physical trespassing.

But who uses the term "database" to refer to anything but a store of data on a
computer system?

I realize the BBC has some old-fashioned style guide it's using here, but
"cyber databases" betrays a bit of a need to revisit that guide.

 _Edit: I 've made a couple of recommended edits for the BBC as seen here:
[http://i.imgur.com/cewmams.png](http://i.imgur.com/cewmams.png) _

~~~
yellowapple
> But who uses the term "database" to refer to anything but a store of data on
> a computer system?

Technically, a "database" is just an organized collection of data. While
nowadays it's increasingly rare to encounter a non-electronic database, these
were once upon very commonplace. One specific example that I recall rather
fondly is the list of Dewey Decimal cards that libraries would keep in narrow
file cabinets so that users could search through them and find the books they
wanted. While my school library's catalog was already digitized, I still used
these cards sometimes, finding books that had been omitted from the digital
system for whatever reason (though these were eventually cleaned up when the
digital system itself started to include the creation of spine labels, thus
causing non-cataloged books to become more obvious).

~~~
bhauer
I am familiar with the term as it was used prior to computers. But the BBC's
insistence on qualifying a database as a "cyber-database" in 2015 is gross
anachronism the likes of using the phrases "touch-tone phone" or "world-wide
web."

~~~
chatmasta
A more accurate analogy would be using the phrases like "cell phone," which
are certainly still commonplace. Adjectives tend to stick around longer than
necessary for disambiguation, but that doesn't mean they are useless.

------
nedwin
We hear a lot about Chinese attacks on the US but virtually nothing about the
opposite, which undoubtably does happen.

Reading the wiki page on "Cyberwarfare" there are sections on each country,
like "Cyberwarfare in Germany", "Cyberwarfare in India" etc.

Both the "Cyberwarfare in USA" and Cyberwarfare in China" are about Chinese
attacks on the US...

[http://en.wikipedia.org/wiki/Cyberwarfare](http://en.wikipedia.org/wiki/Cyberwarfare)

~~~
cm2187
I presume you would need to search the web in chinese, not in english, to read
about those.

~~~
sanderjd
That's too bad. Theoretically, we have english-language journalistic
institutions doing that for us.

~~~
Sideloader
They generally toe the official government line, at least the mainstream media
does. The opinion pages contain the odd piece here and there that deviates
from this narrow perspective. But don't rely on the English-language (or any
language) media to present an unbiased viewpoint that gives equal weight to
both sides of an argument when it involves the US or an ally/client state and
an "enemy" state like China or Iran.

~~~
devnul3
You think Snowden, GG, wikileaks, etc toe the government line?

~~~
themeekforgotpw
I think he means CNN, Fox, MSN, NBC, NPR, etc.

[https://wikileaks.org/sony/emails/emailid/133736](https://wikileaks.org/sony/emails/emailid/133736)

(From the State Department to the CEO of SONY.)

------
rmrfrmrf
It's OK, I'm sure whoever did it had a warrant.

~~~
fleitz
Yeah a FISA judge in China authorized the search so it's ok.

~~~
dmix
Yep, the US is a foreign country and hey they do it too. Every country spies!

------
ChrisAntaki
This is a great example of why the NSA & FBI should invest in strengthening
American encryption standards, instead of trying to weaken them.

~~~
mpyne
Why? Actually using existing standards would have worked just fine. Making
existing standards easier to use might have helped, but the problems in
government use of IT extend far deeper than just the choice of crypto
standards.

------
Zikes
[https://news.ycombinator.com/item?id=9661848](https://news.ycombinator.com/item?id=9661848)

I am shocked. Shocked, I tell you.

------
cm2187
It's hard not to make this trivial comment so let's make it:

At least it may give a taste to US nationals of what it feels like to have
your country hacked by a foreign power, like most European countries nationals
felt after the Snowden leaks.

~~~
chc
You seem to think this is something the US is unfamiliar with. The US has been
one of the largest targets of attacks for a long time now. This is just the
first time the government itself has been attacked on such a large scale
rather than private parties.

(See [http://map.ipviking.com/](http://map.ipviking.com/) if you want a live
demonstration.)

~~~
yellowapple
I find it interesting that the third-place attacker - behind only the United
States and China - is currently the Netherlands.

~~~
chc
IIRC the list of attackers isn't very stable other than China being #1, the US
almost always being #2, and Russia usually being pretty high. Right now it's a
close race for third between Bulgaria and Russia, and the Netherlands isn't
launching any attacks.

------
fieryscribe
The timing of this report is very "interesting", given recent news:
[https://news.ycombinator.com/item?id=9659784](https://news.ycombinator.com/item?id=9659784)

------
themeek
This is part of an ongoing cyberwar between great powers - the largest
adversaries to the US being China (mostly smash and grab) and Russia
(primarily sophisticated and surgical).

It would be nice if there was some place where we could see the scoreboard to
know how effective and how often we hack the Chinese back. Right now it looks
like our tax dollars are being spent getting hacked, but the US government has
doubled down many times on offensive cyberwar capabilities and now have
professional cybersoldier career tracks in the DoD.

What's the assessment?

~~~
goodcanadian
Actually, this is an interesting question. The U.S. may well be hacking China
left, right, and centre. There is nothing forcing China to disclose when they
are hacked. There might be political advantage in loudly complaining. On the
other hand, they might find it better not to admit weakness, especially to
their own people.

~~~
themeek
The US undoubtedly hacks China, though there's some forms of asymmetry whereby
the US has more to lose.

There's also a language and media bubble that filters out information and
criticisms of the United States. These bi- and multi-lateral criticisms happen
all the time but rarely are subject of US media reporting.

~~~
goodcanadian
Fair point, but you are assuming I rely on U.S. media reporting. I most
certainly do not; in fact, I pay little attention to U.S. media reporting. I
do rely on English language reporting, however.

~~~
themeek
:) Thanks good Canadian.

Yes, I am speaking primary to a US audience and from my own experience as a US
citizen.

As a tangent - how is Canadian reporting overall? Is it reliable?

~~~
goodcanadian
Well, I haven't lived in Canada for a few years . . . I find Canadian
reporting to be somewhat better than the U.S., but not nearly as good as some
of the international sources like the BBC and Al Jazeera.

~~~
Sideloader
I disagree. Three or four corporations own almost the entire Canadian media,
from traditional print publications to television and Internet. The range of
viewpoints on offer is extremely limited. For example, the two daily
newspapers in Vancouver are owned by the same company. The two (or is it
three?) private "over the air" TV networks are run by the same companies that
own the two national daily newspapers. This type of media concentration would
be illegal in the US. The Canadian media is incestuous and prone to nepotism
and corruption. The CBC network took government money to produce a series run
on their flagship nightly newscast that sent their chief correspondent (who
was also a Bilderberg guest) on a tour of the Northwest Passage aboard a Coast
Guard ice breaker. This coincided with the government's ramping up PR about a
"strong northern presence to assert Canadian sovereignty". A CBC business
corespondent was on the payroll of a national financial institution, and
married to a high-level employee of said bank)when she did an "independent
analysis" of this institution which just happened to show them in a very
positive light.

And Canada is the only Anglophone nation without a tradition of media
criticism. So, no, Canadian journalism is not in any way superior to US
reporting. Quite the opposite in fact. Canadaland, a weekly podcast started by
a dude who has worked for a variety of Canadian media outlets directly
confronts the sick and feeble nature of Canada's media landscape.

~~~
themeek
Thanks sideloader.

Pretty damning anecdote about reporting on the arctic. Press coverage that
happily glosses over international uncertainty and debate in favor of a
national narrative and interests conclusively outs coverage for what it is.

Media concentration is extremely high inside the United States as well, and of
course reporting is similarly colored.

~~~
Sideloader
My post was a response to a claim that the Canadian media offers a higher
quality product than its US counterpart. I disagree and gave my reasons and
provided a couple of examples. I did not, however, claim that US media
concentration isn't high. It is, but it's not as extreme as the Canadian
example.

Independent media is almost non-existent in Canada, online or otherwise.
Viewpoints that deviate from the mainstream are far and in between. The only
online independent journalism site I can think of that has gained a wider
audience is The Tyee based in Vancouver. The Canadaland podcast, created and
hosted by journalist Jesse Brown, also seeks to provide a wider variety of
viewpoints and it directly addresses the sad state of Canadian media culture
(something Brown is intimately familiar with).

You picked one example I provided and took it out of context as if that
disproves my point. More info about the Parks Canada/CBC story
[http://www.macleans.ca/society/technology/what-exactly-
did-p...](http://www.macleans.ca/society/technology/what-exactly-did-parks-
canada-secretly-pay-the-cbc-65000-for/)

~~~
themeekforgotpw
No, I wasn't arguing with you.

I was agreeing with you.

I do not think anything I said disproves your point, nor was it my intention.

I was speaking more broadly about the sorry state of journalism in both the
United States and Canada (not comparing them).

Thank you for the information.

------
foxhedgehog
A lot of people here are commenting, rightly, that this is an example of why
the USG should be strengthening encryption. It's also a reminder that, despite
its disproportionate focus in media, including on HN, the US is obviously not
the only government engaged in this behavior.

------
Red_Tarsius
I wonder how much social engineering was involved in the hack. No matter how
great is your tech, if your staff is not trained to be _paranoid_ you're going
to suffer the consequences.

 _" Hey I just found a usb pen on the floor. I wonder what it's inside it..."_

------
blisterpeanuts
This is perhaps a stupid or uninformed question, but if databases are so
vulnerable, why is so much information still stored in cleartext? It seems to
me that taking the extra step to strongly encrypt data prior to writing to
tables would make the intruder's job much harder.

I speak not only as a programmer and database guy from way back, but as one of
the millions of Anthem subscribers whose personal data was stolen a few months
ago in a massive breach.

I know that "data breach" might well mean the keys were stolen which decrypted
an otherwise secure file, but the terminology suggests that the breach was
simple access into the system rather than acquisition of the precious keys
themselves.

Someone with superior knowledge of these things, kindly explain.

~~~
droopybuns
If it's a relational database, the core function of the database is to make it
searchable. If you encrypt the fields, you have to decrypt everything to
search them. So if search or relationships are important to you, encrypting
the whole database would be disruptive.

There is a type of encryption called "homomorphic" which could allow you to
perform operations on encrypted information. I haven't ever tried to implement
it and consider it one of those seductive ideas that probably can't get
implemented correctly in practice. But if there was a way to deliver an entire
encrypted database and still make it useful, homomorphic encryption is the
only way I am aware of that would make it work.

~~~
jessaustin
Perhaps the data you need to search is not the same as the data you might want
to encrypt? For instance name, address, ssn (or similar), billing info, etc.
could all be encrypted and you could still look for e.g. 50yo women in the
Northeast USA who haven't had a checkup in the last three years.

Of course many DBs need to search by name, but maybe it can be set up to
search by a hash of name? Hashes seem a bit simpler than homomorphic search.

~~~
droopybuns
>>Perhaps the data you need to search is not the same as the data you might
want to encrypt?

Bingo. That would be the correct middle ground. This is why some of the
database compromises that have happened are not complete disasters. I know
there have been a few instances of systems that had their db's dumped, but
passwords were safely protected by appropriate salting solutions.

------
redwards510
What would be a suitable response to this? America does not have a clear
cyberwar policy and I haven't heard many suggestions.

~~~
JohnTHaller
Well, they could confront the issue instead of publicly ignoring it for a
change. Haven't heard much about China's massive DDoS against github. Even
github won't point the finger at China even though it was clearly done at the
Great Firewall.

------
ephemeralgomi
what differentiates a 'cyber database' from a 'database'

~~~
ra1n85
The former was built for millions of dollars by the low bidder with a great
sales team.

~~~
colinbartlett
Great sales team? How about well-connected principals who donate to candidates
with the power to decide on the contract.

------
dpweb
Of course, China. How is it they are incompetent to protect the data, yet
competent enough to know immediately who did it.

~~~
themeek
Stopping Computer Network Exploitation is very, very difficult (the attacks
happen at close to the speed of light).

However with appropriate signals intelligence, sources of attacks can be
determined.

We don't know that China was really behind these attacks, but the US has a
pretty good track record at attestation so far.

~~~
jessaustin
How would we know? The most notable attestation I can think of was NK-Sony,
and that is dubious at best. I'll stipulate that China is behind lots of
hacks, but that means attributing any particular one to them could be just a
good guess.

~~~
themeek
The NK-SONY episode was undoubtedly NK or NK-sympathizers.

The malware analysis from Fireeye is a good start for this (it was a variant
of malware used by NK to target SK media outlets that run negative press
against the regime, was compiled with Korean character sets, and much more),
but it's also true that the motive of the hack, written by the Guardians of
Peace themselves, was to punish the US for the State Department and CIA's
involvement in the creation of The Interview and the plans to get the movie
into NK.

Curiously linguistic analysis of the Guardian of Peace messages suggest that
the author was possibly Russian and variants of the malware package had also
been used in an Iranian attack on US oil companies in the Middle East. (These
nations are known to collaborate in malware development and tactics, tools and
proceedures.)

------
sgacka
This hit every US news service. How is it so low in points?

"breach could potentially affect every federal agency, officials said"

I love HN's ability to filter news that matters to dev/tech-professionals, but
when stuff like this pops up it should be top 10, for at _least_ a few hours.
This is some serious shit. Who here does business with government agencies?
Most of you have IRS Tax/Employer IDs... with the rate that this is
"expanding" what is to say that it wasn't just HR records, but more. Your
e-filed IRS return could be sitting with folks outside of the IRS...

No intention to fear monger but think of the statement "breach could
potentially affect every federal agency" \- every business in the US does
something, with sensitive data, with an agency :/

------
fleitz
It's not a data breach, it's essential that the US keep their database
unencrypted so that the Chinese national security agency can search their
records for ties to terrorism.

If anything China just did the OPM a favour to help them keep their freedom.

------
thyrsus
Note the Office of Personnel Management's scores in this report, and note the
scores of the State Department. Ms. Clinton's e-mails may have been more
secure at her private residence :-\

[https://www.whitehouse.gov/sites/default/files/omb/assets/eg...](https://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/final_fy14_fisma_report_02_27_2015.pdf)

------
danso
Interested in hearing the details about this one. How much of it was
facilitated by phishing or social engineering? Are there any government
systems that require two-factor auth? So much of federal web infrastructure is
based on old code/systems that, while invulnerable to a mass exploit of
Rails/WordPress/Bash, have not even remotely been tested and studied against
edge cases in the way that large scale open source platforms have.

------
ams6110
_The breach did not involve background checks and clearance investigations,
officials said._

No, that breach[1] was a couple of years ago.

1: [http://www.nextgov.com/cybersecurity/2014/12/opm-alerts-
feds...](http://www.nextgov.com/cybersecurity/2014/12/opm-alerts-feds-second-
background-check-breach/101622/)

------
gress
If only there had been a backdoor in the system, or no encryption, law
enforcement could have prevented this. /s

~~~
themeek
The US government has some of the best CNA/E defense anywhere in the world -
certainly better than almost all of industry - even departments that you would
otherwise think are puny.

The backdooring and lack of encryption in software is because the US is still
a primary exporter of technology and we want to be able to continue to hack,
surveil, message and control those who get US technology. US FedRAMP and other
compliance minimums insist on the use of properly configured encryption in
private industry to protect government information and cyber sharing programs
enable both the sharing of data between private and public sectors for
surveillance and for the detection and analysis of foreign cyber attacks. The
US government has state of the art encryption (for the most part) and some of
the most heavily monitored perimeters.

None of this is enough to stop cyberattacks, which have all of the advantages
in their favor.

So while I'm inclined to agree with you that the US should stop mandating
backdoors and weak encryption I don't think its a fair characterization to
suggest this anything to do with why the US was breached.

China and the US are battling each other in several arenas of influence, as
are Russia and the US. In this case the US is trying to stop Russia and
China's global and regional power projection and these countries do not accept
the US world order and their current place in it.

Conflict is inevitable. It will be interesting to read the history books to
see what gets written about the role of the information warfare space and what
role it plays in whatever outcome we get.

~~~
colinbartlett
What is CNA/E? Google wasn't helpful.

~~~
themeek
Computer Network Attack/Exploitation, also see CNO - Computer Network
Operations.

------
multinglets
Oh no, the Chinese are stealing all our datas in an unprecedented cYbErattack!

I didn't realize it was Thursday again already.

