
Data on 7% of Americans Were Just Hacked, Now What? - shea256
http://blog.onename.com/americans-hacked-opm/
======
bargl
Is it sad that because I have worked on government systems in the past that
this does not surprise me at all?

It makes me mad, but it is not at all surprising. The negligence on government
software is crazy. That is on top of the regulations that basically don't
allow developers to use new/open source technology.

While new technologies wouldn't have prevented this by themselves, they might
have made it easier to encrypt data so the devs would have said, "oh yeah we
can do that". Or they might have had defaults that prevent simple things like
cross site scripting.

~~~
__john
Spot on, most software gets disapproved simply for being open source or
liberally licensed. Although recently I've found that it's easier to get open
source software on my computer if I can prove that it already exists somewhere
else on our network (i.e. we use Redhat servers which come with Python pre-
installed after I pointed that out getting Python on my personal box wasn't
much of an issue)

------
Litost
This might well be the dumbest thing i've ever said on the internet, but
extrapolating from "data on 7% of americans just got hacked" to the premise
nothing is actually secure

a) What would happen if we embraced this and just made all information freely
available?

b) Is one of the likely/possible end or transitional states of the human race,
all information being freely available and presumably along with it, a more
enlightened approach to dealing with it?

c) Are there any good sci-fi books where this is explored?

~~~
miguelrochefort
I've been a big supporter of total transparency for a while now. I probably
have a hundred posts and comments about this very topic on HN and Reddit
alone. My experience is that most people won't even consider the idea. Those
who don't just assume it's trolling usually ask the same question: "Post your
name, address, email address, phone number, social security number, credit
card number, passwords here." and they believe it constitutes a valid
argument. That's laughable.

Privacy only rewards liers and cheaters, and generally unreliable people. It
leads to a world where kids tell their teachers what they want to hear, where
politicians tell the population what they want to hear, where job candidates
tell the interviewer what he wants to hear. You can't cheat, lie, manipulate
and generate bullshit? Sorry, but that's an handicap in today's society.

We live in a world where it's expected of people to keep secrets and conceal
the truth. It's your job to keep your house keys safe, keep your password
safe. Wear clothes, makeup, wigs, get plastic surgeries if you need to. Never
talk about your flaws, only share successes. You can't ask for help publicly,
that would reveal you're imperfect. Keep it in, live in the closet. Oh, and be
a white male.

Don't forget, one picture of you being drunk or smoking a joint, and your
political carrier is over. I mean, the absence of such a picture would
convince anyone that such a thing never happened.

The correlation between reality and what's publicly available is so
ridiculously thin, that nobody really knows what truth is. And that's a bit
scary.

I see people avoid using smartphones because "NSA". I see people browsing
behind 7 proxies. I see people wasting considerable amount of time setting up
encryption on everything they touch. Better delete my Facebook account right?

We will never win this race. It's unsustainable to try to keep that much
information private. Technology favors entropy. It's time to embrace
transparency.

~~~
gruez
>We will never win this race. It's unsustainable to try to keep that much
information private. Technology favors entropy. It's time to embrace
transparency.

How much transparency are you advocating for?

Privacy isn't just about protecting secrets. For instance, it can be inferred
that married couples have sex in their bedrooms. That's not a secret. But if
you ask them if you can plant a camera in their bedroom for the purposes of
recording their sex lives, they would most certainly reject.

Are you advocating for transparency for facts, or transparency on everything?

~~~
miguelrochefort
> But if you ask them if you can plant a camera in their bedroom for the
> purposes of recording their sex lives, they would most certainly reject.

Of course they would reject. They've been brainwashed to think this is bad.
And so was society. That will have to change.

I'm advocating total transparency. Everything.

------
jessriedel
I wish alternative strategies like "stop having the government collect and
store information" would be considered in these situation.

~~~
pdkl95
This is the only real solution, as it directly addresses the real problem:
interdependence. As Dan Geer described[1] the problem:

    
    
        ... risk is a consequence of dependence.  Because of shared
        dependence, aggregate societal dependence on the Internet is not
        estimable.  If dependencies are not estimable, they will be
        underestimated.  If they are underestimated, they will not be made
        secure over the long run, only over the short.  As the risks become
        increasingly unlikely to appear, the interval between events will
        grow longer.  As the latency between events grows, the assumption
        that safety has been achieved will also grow, thus fueling increased
        dependence in what is now a positive feedback loop.  Accommodating
        old methods and Internet rejectionists preserves alternate, less
        complex, more durable means and therefore bounds dependence.  Bounding
        dependence is *the* core of rational risk management.
    

In software we've had to face this problem of expanding complexity and
interdependency so often we have numerous names for the problem like
"spaghetti code" and "DLL hell". Numerous techniques have been invented to try
and mitigate dependency problems (e.g. "information hiding" with functions and
classes, UNIX-style problem separation and component reuse). With Rust, we
have even designed an entire programming language with complicated and usual
memory management features, with the goal of _eliminating_ some types of
interdependent pointer semantics. Even with all that effort, the good designer
knows to ask the question "Did we _really_ need to depend on $LIBRARY?".

Unfortunately, there are may other areas of our society that are just starting
to learn about complexity at this scale, and do not understand why it might be
an absolutely terrible idea to _replace_ an old system that worked with a new
piece of software that creates a dependency on the internet. There will be a
lot of people that end up having to learn the hard way why it might have been
a bad idea to change a security problem form "lock it in a thick-walled room
behind a lot of people with guns" into something that probably reduces to
Halting Problem.

[1]
[http://geer.tinho.net/geer.blackhat.6viii14.txt](http://geer.tinho.net/geer.blackhat.6viii14.txt)

~~~
acqq
Exactly. For us who worked on the big software projects, it's something we
think of all the time, with the extremes:

\- blindly making all class members private, most of the code is the burocracy
and a little or even wrong job being done.

\- allow everybody access to everything, a mess for the other aspects of
brittleness.

Actively maintaining the balance is the hard problem which has to be done all
the time as the requirements change all the time, but the task worth doing.

------
eli
> Worse… access to ALL of this information was given to certain foreign
> contractors, some of whom were in China.

Pretty sure this is unproven and, regardless, had nothing to do with the hack.

~~~
polymatter
I'm not sure if it was edited, but reference to China has now gone.

~~~
eli
Yes, it was silently edited, which is not a particularly classy move.

I think this whole "foreign contractors" angle is sourced to a single
anonymous ex-contractor speaking to Ars. Even if true, I don't think there's
any evidence it has anything to do with this hack.

~~~
shea256
Hi author here. Thank you for pointing this out and sorry, I meant to mention
that I edited it.

~~~
eli
No worries, I'm definitely guilty of quickly editing my own comments to phrase
them better :)

I still feel like I'm a little lost in the essay, though. It's easy to _say_
that all data requires senior people to sign off before data can be decrypted.
But that sounds really hard to implement and even harder to legislate. What
specifically are you asking for? What am I supposed to be asking my
representative to do?

------
Shivetya
I am not sure what is actually the worst thing we learned here, that this many
people were hacked or this percentage is/was employed by the US government

~~~
DennisP
It's not just those employed. A family member of mine has a security
clearance, and let me know that I'd be one of the 20 million with my SSN
exposed, since I was one of the people the government checked on when doing
his clearance.

~~~
sgs1370
And DOB of your family member, unless the forms have changed. Also (not
related to your family), when you're trying to identify yourself on the phone
to a credit card or bank (etc.) because you are starting with them or "lost
your password", they usually quiz you - almost all of the questions can be
answered if you know the previous addresses.

~~~
ams6110
This is what needs to change. Personal trivia can no longer serve as proof of
identity. We need to make the personal data useless for identity thieves.

------
mangeletti
7% of American't were not "just hacked"[1]. Perhaps the HN title should be
changed to avoid misleading users herein.

The title is very much click bait.

1\.
[https://en.wikipedia.org/wiki/Hacker_%28computer_security%29](https://en.wikipedia.org/wiki/Hacker_%28computer_security%29)

~~~
lisper
I downvoted you because you need to support your claim. 21 million Americans
had their personal information compromised. That's 7% of the ~300M population.
Summarizing that state of affairs as "7% of Americans were hacked" seems
reasonable to me.

~~~
mangeletti
While I do appreciate your honesty (re: downvote), gaining access to my
information isn't intrinsically hacking[1]. Hacking _might_ be the means of
gaining the information. In this case, hacking did take place, but not the
hacking of 21 million Americans, rather on some government servers. I've added
citation to my original comment.

Anyway, it doesn't matter because the OP was flagged into oblivion.

1\.
[https://en.wikipedia.org/wiki/Hacker_%28computer_security%29](https://en.wikipedia.org/wiki/Hacker_%28computer_security%29)

~~~
lisper
> gaining access to my information isn't intrinsically hacking

Perhaps not, but saying "I was hacked" is a commonly used colloquialism that
means, "My supposedly secure personal information was compromised."

But I guess it's a moot point now.

------
TheMagicHorsey
Why is everyone so shocked? Has anyone ever talked to a friend that works for
the Federal govt.? They are well known to be completely incompetent when it
comes to technology. Even the DoD, which gets billions of dollars for cyber
defense, often doesn't do things right.

How can you expect the Fed. Govt. to handle things competently when some of
the best paid private contractors F' things up too. Security is hard.

What IS a bit surprising is not the fact that they were hacked, but that they
actually found out they were hacked. From what I understand, the Fed. Govt.
has lost even more important data (like designs for weapon systems), and not
even realized it till like years later when the technology shows up in foreign
weapons.

~~~
narrator
Maybe some parts of the government aren't competent but the NSA is pretty good
at what they do.

~~~
kalleboo
Even the NSA isn't perfect though. Don't forget that Snowden managed to steal
hundreds of thousands of documents, and the NSA doesn't even know exactly WHAT
he got or not...

~~~
icebraining
_the NSA doesn 't even know exactly WHAT he got or not..._

Or so they say.

------
jganetsk
Does anyone know if the OPM's data included Global Entry?

~~~
jessriedel
I don't, but the NYTimes says this:

> Every person given a government background check for the last 15 years was
> probably affected, the Office of Personnel Management

[http://www.nytimes.com/2015/07/10/us/office-of-personnel-
man...](http://www.nytimes.com/2015/07/10/us/office-of-personnel-management-
hackers-got-data-of-millions.html)

Not sure if Global Entry / NEXUS is considered a background check, since they
are certainly less intensive than the one done for a security clearance, but
it doesn't sound good.

------
mangeletti
The article's title was just edited[1] to read, "Data on 7% of Americans Was
Just Hacked, Now What?".

This is apparently a living document.

1\.
[http://webcache.googleusercontent.com/search?q=cache:WKgL8jW...](http://webcache.googleusercontent.com/search?q=cache:WKgL8jW-
Zb0J:blog.onename.com/americans-hacked-opm/+&cd=1&hl=en&ct=clnk&gl=us)

~~~
shea256
Yes, I responded to your helpful feedback. Thank you.

~~~
mangeletti
Thanks, Ryan. Despite the fairly negative nature (calling it "click bait") of
my prior request, you took it for its objective value. That was pretty big of
you.

------
a3n
So wait a minute. Why couldn't this have been the NSA? I'm sure the NSA has no
automatic right to at least some of that data. And if they're investigating
someone (or everyone), breaking in would be their style, right?

Wouldn't it be really valuable to them to zip together what they already have,
and what's in the OPM data, to create more links and associations?

------
1971genocide
I am so happy this is happening !

I always felt cryptography was treated as a back room kind of operations. We
are all so busy making iOS apps. The real computer science has always taken a
back seat.

Hopefully MORE such breeches occurs and investment in security recieves the
kind of investment and respect it deserves.

We are all so focused on this MBA growth bullshit. Time to do some real
computer science !

~~~
1971genocide
I remember reading about how openSSL had like one programmer and he used his
own funds.

It's embarrassing that we let this shit happen. this is why I think cs needs
some form of labour union ( like the brotherhood of teamster, I didn't know
truck drivers got better wage than half of us ) the wages keep on dropping and
we have no say in where to divert investment.

~~~
NhanH
How do you think labor union would have helped in the openSSl case?

~~~
1971genocide
Labour unions are know to manage and divert investment for the common good for
a field.

They help enforce regulations and prevent random programmers from doing
something stupid.

IN the case of openSSL. Even though we all collectively know how important
security is for the Internet in general, it would be hard to convince
investors to fund something that is a collective good with long term
potential.

Right now except for EFF, no one is voicing the concern about encryption. And
it's all programmers collective fault for letting this happen.

~~~
NhanH
I understand the general appeal, what I was wondering is the specific
mechanism that would work to help case like openSSL (if anything, I can see it
hurting the effort, as you said, "stopping programmer from doing something
stupid"). I'm more worried that labor union will be doing things more in the
veins of RIAA and MPAA: seemingly good for short term of the field, but
completely stupid in the big picture.

~~~
1971genocide
I think a democratically elected face for programmers would be a good thing.

Right now there are major problems surrounding IT, while we are forced to work
on marginalized things. Meanwhile foreign private contractors get the govt
deal since they are the "cheapest". Remember healthcare.gov, how does a
country with the best programmers make such blunders ??

It will be expensive to increase training, provide certifications for security
and create a open industry around security. But cyber security is as much or
more important than other forms of defence. The reason for myopia is because
its not as cool. Imagine if some spy infiltrated and stole physical copy of
all the records of Govt personnel ??

Can a price be put on it ?

------
RRRA
... Because the government is keeping everyone insecure so they can hack other
nations and themselves?

------
Qantourisc
If it's such a big deal to loose / get the data stolen. Should you have been
storing it in the first place ? And if you do really need it, like
fingerprints, start by using a hash. The other data you wish to keep are
current data (not history): ssn, address, family(maybe you should be able to
opt out of that, but risk them no getting contacted in certain situations)
Medical records? Have a standard form that list anything important: allergies,
blood-type. Well that's my (maybe naive) view on it.

------
kanusterkund
Hack me twice, can't get hacked again, right?

------
tslug
I'm always amused by these "here's how to protect data better" articles,
because today's security is tomorrow's joke, and that's how we got here with
the OPM hack.

The only way to get ahead of it is to make it so that all private data is
public and thus devalued. Privacy creates liability. Visibility creates value.

The problem we have right now is the idea that one entity should have domain
over any information. That's what we need to get over. It should be shared-
_all_ of it, from bank security cameras down to what you're doing in the
shower. When all surveillance is shared, you find that people suddenly get a
lot more tolerant, because throwing stones in glass houses isn't helpful.

The Earth is a closed system. We have finite, shared resources. Privacy
creates the fiction that it's not a closed system. You think that's how the
space station works? Is that how you want it to work? No, you want cameras on
_everything_ , because if someone decides to experiment with the CO2
scrubbers, it affects everyone.

The same is true here on Earth. We're now in an age where one person or
company or government can single-handedly change the habitability of the
entire planet, such as Exxon did in the 80s. That's dangerous.

And meanwhile, there's incredibly valuable, life-saving services and
conveniences we can all enjoy if we are open with all our surveillance data.
How many lives could be saved or improved if we all had a smartwatch measuring
our vitals and our food intake and toilet waste were monitored? That one
change could single-handedly resolve most of our healthcare issues in the US.

What we really need instead of privacy is complete visibility coupled with a
code of conduct that emulates the benefits we expect from privacy. Just
because we _can_ see everything doesn't mean we have a right to bother people
with what we know. That's the issue we need to address. By all means, check
out whomever in the shower, but that doesn't give you a right to interfere
with that person's life by commenting on their genitalia. That's the key
ingredient we're missing from the privacy conversation. We like privacy
because we equate it with civility and thus freedom.

If someone doesn't know something, then they can't make you miserable with it.
But that doesn't really work anymore. Even if someone doesn't know something,
big data techniques can interpolate what it is they're not supposed to know.
What you're really signing up for with "privacy" is granting visibility to
only a privileged few- the spy agencies, the multinational companies, the
hackers, and anyone willing to pay for the information.

~~~
miguelrochefort
Everything you said is correct.

Where can I find like-minded people that understand the sustainability of
total transparency? I've been struggling to find such a community for years.

~~~
iamcurious
I'm interested as well.

------
sologoub
Does anyone know if this affects immigration records, as I'm pretty sure they
collect fingerprints and such?

------
carl7081
But hey - they erase their disks 7 times and spike them before they throw them
away - so we are safe now.

------
trhway
93% later we'd be able to stop worrying about hacking and love the open
Internet.

------
gmuslera
99% were hacked the last decade, along with most of the rest of the world, by
an US government agency. If people didn't care about that, why you expect
sympathy for this one?

------
jwildeboer
Exactly why is $AUTHOR so sure it was a foreign power that hacked OPM? Which
proof can $AUTHOR provide besides unfounded rumours? It's just too simple.

~~~
tedunangst
The author of the post isn't variable.

------
informatimago
I don't see that as a problem. At all. The US government (NSA, CIA, etc) has
files on most of the people on the planet (including close spying of most
governments, politicians and important corporations worldwide). I don't see
how somebody else having 20 million records on US people would change
anything.

On the other hand, if personal and important information about the activities
(behind the curtain) of all those politicians, banksters and big corporations,
american or not, was accessible to the public, perhaps things would change.

~~~
marcoperaza
Except that what leaked out is the background checks of almost all of the
people that have a security clearance. There's a lot potential for someone to
use that information to blackmail ("I'll tell your wife about that affair you
had 10 years ago") or socially engineer (pretend to be someone else) their way
to the very secrets this process is supposed to protect.

~~~
a3n
And at least links to all their family, friends and associates. Making those
people targets for further data theft.

