
US Intelligence director’s personal e-mail, phone hacked - pavornyoh
http://arstechnica.com/security/2016/01/us-intelligence-directors-personal-e-mail-phone-hacked/
======
SilasX
So? I thought there was no social consensus on an expectation of privacy in
email.

~~~
ck2
Any email you have that is 6 months or older is free to be read by almost any
law enforcement from local to federal level, without warrant.

Why do you think President Clinton setup a private email server in the first
place? The law was signed just before his presidency and he was advised of
this.

------
tomlongson
> The group also apparently gained access to a number of government Web
> portals and applications, including the Joint Automated Booking System (a
> portal that provides law enforcement with data on any person's arrest
> records, regardless of whether the cases are ordered sealed by courts) and
> government employee personnel records

Why is it that sealed arrest records are not actually sealed?

~~~
Wingman4l7
I've always struggled with the concept and purpose of a 'sealed" record. It's
like the justice system is trying to have its cake and eat it too -- they want
to keep a record that someone went through a judicial process, but the details
must not be revealed? Why not just wipe the record and replace it with some
sort of generic "John Doe had a legal proceeding on date X"?

~~~
lazaroclapp
Doesn't 'sealed' imply that is retrievable, just not under most circumstances?
As opposed to expunged. As I understand it, a court order can allow certain
parties to access a 'sealed' record as part of different investigation in the
future. It's just that your employer doesn't get to see the whole thing every
time they run a background check on you.

Why there isn't a proper threshold cryptosystem and chain of custody of keys
for sealed records? Well, that's a different question. The answer is probably
along the lines of "the justice system doesn't get tech" or "the people who
could demand this don't know about it or don't care enough" or even "thus far
the implementation has worked ok...".

~~~
kevin_thibedeau
Law databases aren't much past the sophistication of Dbase. Strong access
controls and encryption are hopeless.

~~~
lazaroclapp
Yeah, I know. Still, it is interesting how when it comes to catching suspected
criminals everything is relatively high-tech: optical license plate
recognition, fake cell towers, biometrics, drones, etc. Yet when it comes to
protecting civil rights, any solution that is newer than the bill of rights
itself is suspiciously absent.

------
vonklaus
Oddly, neither the anonymous hacker(adjective not group), nor a high ranking
gov't intelligience officer were available to comment on this twitter picture
we found on facebook after it had trickled down from 4chan to reddit.

------
deciplex
Good. Let's have the pastebin, please. This is the same guy who lied to
Congress, which lie was exposed just a couple months later, and _nothing
happened_.

~~~
rubberstamp
I'll be not surprised if it contains some bitching about congress trying to
bring accountability. I could care less about it. These guys are in the
business of finding loop holes and using it. They will lie if they can get
away with it

~~~
assocguilt
Could care less? Surely you mean that you couldn't care less?

If you could care less then that means you must already have some level of
care.

If you couldn't care less then your current level of care could not be any
lower which effectively means that you don't care.

~~~
Stratoscope
[https://www.google.com/search?q=could+care+less](https://www.google.com/search?q=could+care+less)

------
typon
Let me play the world's smallest violin for this horrible crime

------
2close4comfort
What can you expect from someone who still uses an AOL account...

~~~
goalieca
i always expect these senior intelligence guys to have the most disciplined
security around (like snowden).

Then it turns out the only real guard is "What high school did you go to?" and
"Who was your favourite teacher?"

~~~
duncan_bayne
Once you go high enough in most organisations, appointment becomes political
and / or based upon leadership and vision.

Assuming senior intelligence folks practice good tradecraft is a little like
assuming that the CEO of a software company is a gun programmer. Often not
true, and sometimes for good reason.

~~~
aswanson
More often than not, for a bad reason though. Put Ballmer vs Gates or Nadella
as a CEO, or, I'd argue, Schmidt vs Page. And, in a crystal ball moment, I'd
predict whomever follows Zuck won't be as good as him if he/she has no
technical skill. I'd take a technical person who can follow the track of where
things are headings "vision" over a bean-counting MBA or "leadership" expert
any day of the week for guiding an organization based on technology.

------
fweespeech
Is anyone actually surprised?

The competence of politicians with technology has always been abysmal.

~~~
balls187
> The competence of politicians with technology has always been abysmal.

This assumes that companies do a great job of preventing hacks. They don't.

Brian Kreb's paypal account was hacked last month[1].

[http://krebsonsecurity.com/2015/12/2016-reality-lazy-
authent...](http://krebsonsecurity.com/2015/12/2016-reality-lazy-
authentication-still-the-norm/)

~~~
fweespeech
1) He put work documents in a non-government email address that anyone who
understood technology would understand was insecure.

2) At that point, the competence of the provider isn't the problem.

------
sgarman
I dislike the word "hacked" as used here because it can mean anything and
everything. I hope we get some real actionable information on what went down.
There are no real details included other then they were able to access email
accounts. Looks like maybe social engineering?

~~~
wavefunction
>social engineering

That's still hacking.

~~~
moheeb
Not to me, it isn't.

~~~
wavefunction
Perhaps you'd care to expound? I suspect you hold this opinion due to your
age, though I can't be sure as I don't have much to go off of.

Hacking to my understanding is exploring a system of rules, learning them
inside and out and using those rules in expected and unexpected ways to
control the system to your own desired effect, which may be constructive or
destructive in nature.

I grew up during a time when individuals were doing this with the phone system
and computers and other technologies and this included understanding and
utilizing social dynamics and interaction to achieve a desired effect, usually
gaining access to information that could be leveraged towards further hacking.

~~~
jonnybgood
No different than a con artist. It seems to me when techies do conning they
call it social engineering. In other words, a social engineer is a techie con
artist.

~~~
wavefunction
Here's the thing about a con artist, "there's no cheatin an honest man"

~~~
js8
That's very much untrue, and it's probably used as self-justification. You can
exploit honest people too, and people do it a lot.

And I also take issue with term hacking meaning guessing the password or
obtaining it with social engineering or con art.

------
late2part
I hope it wasn't done wittingly.

------
matt_wulfeck
it seems we need better safeguards for personal data for elected officials. I
think the government could do it easily:

1\. Issue iPhone with finger scanner for MFA for all important access. This
works so easy that it would be hard for someone to screw it up.

2\. Setup home networks to always use secure tunnels ( custom routers with
openvpn settings, Etc).

3\. MFA all accounts.

The key is to make it so easy to do things the right way that it's hard to
mess it up.

~~~
jamesrom
Fingerprints aren't secrets. Once you have your fingerprint stolen, it's
useless.

[https://www.schneier.com/blog/archives/2015/10/stealing_fing...](https://www.schneier.com/blog/archives/2015/10/stealing_finger.html)

[http://www.theguardian.com/technology/2014/dec/30/hacker-
fak...](http://www.theguardian.com/technology/2014/dec/30/hacker-fakes-german-
ministers-fingerprints-using-photos-of-her-hands)

~~~
matt_wulfeck
Everything is always a trade off. Finger prints offer considerable
convenience, especially when they work in tandem with something like a secure
HSM.

For example, on an iPhone 5s and beyond, the fingerprint doesn't decrypt the
phone, it unlocks the secure enclave which decrypts the phone.

~~~
newman314
I suggest that you read this article on identity, authn & authz.

[https://technet.microsoft.com/en-
us/library/cc512578.aspx](https://technet.microsoft.com/en-
us/library/cc512578.aspx)

Also, AFAIK, you cannot be compelled at this point to provide a PIN/password
(short of the rubber hose) but someone can just use your finger to unlock a
phone. Yes, tradeoffs but the convenience factor is not worth it IMO.

------
dawnbreez
Teenage hackers, huh?

Sure. I bet this isn't actually their work.

~~~
jsomers
"Whoever wrote this needs somebody to take the fall. And that's Phreak, and
that's Joey, and that's us." – _Hackers_ (1995)

~~~
dawnbreez
I had to resist the urge to add HACK THE PLANET to my comment.

------
beedogs
This is what happens when you hire a dim-witted Luddite to direct US
Intelligence. Surprised?

------
macawfish
Those men look like their bodies have been trying to die for a while now.

~~~
oldmanjay
The favorite joke of my cohort of old people is how young folks are just dying
to get into our club.

~~~
elenorelange
Can you explain the joke? I don't get it

