
FBI Says a Mysterious Hacking Group Has Had Access to US Govt Files for Years - ebrenes
https://motherboard.vice.com/read/fbi-flash-alert-hacking-group-has-had-access-to-us-govt-files-for-years?utm_source=mbtwitter
======
actsasbuffoon
All the more reason why the US government shouldn't be running mass
surveillance programs. You may trust the US government with your data, but
what if they can't protect your data once they've obtained it?

Do you trust the Chinese government with your personal information? How about
organized crime groups with the resources to hire expert black-hats?

We're talking about people who haven't done anything wrong, and aren't
suspected of any wrongdoing. Innocent people are having private data gathered
without their consent (and arguably in violation of the constitution) by
people who have had a series of embarrassing security blunders in recent
years.

You might argue that the NSA has tighter security standards than the OPM and
whichever departments were compromised in this attack. In response to that,
I'd point out that Edward Snowden was only a contracter, and shouldn't have
had access to the information he leaked to the press. Clearly security wasn't
that great at the NSA.

~~~
thaumasiotes
> You may trust the US government with your data, but what if they can't
> protect your data once they've obtained it?

I've never understood this idea. The US government is dangerous to anyone
located in the US. The Russian government is not. It will never matter to you
if the Russian government has your data; it can matter a lot if the US does.

~~~
marcoperaza
Tell that to Alexander Litvinenko.

~~~
venomsnake
That poor poor Soviet Spy turned traitor. Spilling state secrets - legitimate
target for assassination.

And his mistake was trusting a friend. Not some data collection Russian
operation.

If you enter that game - you know the risks.

~~~
tonyedgecombe
"If you enter that game - you know the risks"

That's a poor justification for executing somebody without trial.

~~~
venomsnake
He was a rogue traitor - what kind of trial would you like him to get?

~~~
efdee
A fair one. Like everybody else.

~~~
venomsnake
He was in UK. Generally speaking Russia has no jurisdiction there even if it
owns most of inner london.

------
hackuser
Is the government or anyone else trying to develop secure systems? I don't
mean stock technology (Intel/Arm + Windows/*nix/etc.) retrofitted or 'locked
down', I mean new tech built from the ground up for high security.

Given the exceptionally high value to foreign governents (and other actors) of
breaking into US government computers, the latter approach seems like the only
potential option. The stock tech just can't be secured effectively enough,
IMHO.

\----

EDIT: Answering my own question to a degree, here are presentations on High-
Assurance Cyber Military Systems (HACMS), which apparently utilize seL4:

[http://www.cyber.umd.edu/sites/default/files/documents/sympo...](http://www.cyber.umd.edu/sites/default/files/documents/symposium/fisher-
HACMS-MD.pdf)

[https://www.youtube.com/watch?v=YqRdbgRPYw8](https://www.youtube.com/watch?v=YqRdbgRPYw8)

~~~
gherkin0
Yes.

One project is SeL4, which is a provably correct microkernel. I listened to a
talk by one of the developers and it sounded like they were getting funding
from DARPA.

[https://sel4.systems/About/seL4/](https://sel4.systems/About/seL4/)

I also remember reading on Wikipedia about some proprietary closed-source OS
that's used by the US government to work with very highly classified
information. Apparently the requirement was that the kernel and every program
be formally verified, so it had very limited features. IIRC, it still
maintained, but newer versions support a Linux environment for less classified
work.

Unfortunately, I don't remember what it was called so I can't link to the
page.

edit: found it:

[https://en.wikipedia.org/wiki/XTS-400](https://en.wikipedia.org/wiki/XTS-400)

[https://en.wikipedia.org/wiki/Trusted_Computer_System_Evalua...](https://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria#A_.E2.80.94_Verified_protection)

> Examples of A1-class systems are Honeywell's SCOMP, Aesec's GEMSOS, and
> Boeing's SNS Server.

~~~
joe_the_user
The problem is that at a certain level of government, you will have
administrators who aren't technical experts and who have no interest in
deferring to the opinions of technical experts.

Such folks just don't want to bother with the limitations that a secure system
implies, even if such a system became much more featureful than the present
ones. They want their Windows/Mac and probably want it for their work-groups.

It's not just a lack of technical know-how but a variety of psychological
tendencies that stands against this. It's taken a long time for companies to
develop UIs that people want to use but the existence of these "easy to UIs"
is a barrier to any UI which requires even a small amount of training to use.

~~~
AnimalMuppet
Fine. Then those people don't get access to secure systems _or information
that needs to be secured_. Just don't let them have any kind of job that means
they need to work with information that should be secure. Let them have their
Windows/Mac machine, and let them work on writing Word docs and Powerpoint
about stuff that nobody cares about.

~~~
hackuser
Unforunately that's not how government (or any large institution) works. That
person has enough political capital to hold onto that job, or probably they
wouldn't have obtained the job in the first place. Try firing or moving them
and you might find that someone powerful, whose good will you need in order to
get important things done, will be unhappy with you.

------
deepnet
Hardly surprising when most resources are spent on mass surveillance, reliant
on weak security.

Snowden's leaks show the focus is to "prevent public debate about the mass
surveillance program." \- GCHQ, leaked slide.

> " _The mass surveillance program has done nothing to prevent terrorist
> attacks, it has not stopped a single one._ ", concludes Obama's 2014 report
> chaired by the ex-deputy director of the CIA.

Compromising public safety by starving resources from real investigative
intelligence.

> " _If you collect it all, you understand nothing._ " Snowden

They were warned of the Belgian Bombers by Turkish Intelligence. Warned he had
just returned from training camps. Warned a Tsarnev brother had been at a
training camp just before he bombed Boston.

Real warnings about activated radical, single dangerous individuals - not a
needle in haystack - direct advance warnings. Same with London 7/7 and in all
cases the response is "we didn't have sufficient resources to target these
individuals."

 _If these attacks were preventable - why weren 't they ?_

This question must be asked again and again and we should be unsatisfied with
'closing the stable door' answers like ' _because they had burner phones_ '.
Because that is not their focus is the awful, sad, inescapable truth.

All sources from this debate between Greenwald, Chomsky & Snowden:
[https://theintercept.com/2016/03/30/edward-snowden-noam-
chom...](https://theintercept.com/2016/03/30/edward-snowden-noam-chomsky-
glenn-greenwald-a-conversation-on-privacy/)

------
memracom
When we first heard about how Snowden actually got access to the files which
he leaked, I remember being astounded that the USG was so incompetent about
information security. My next thought was, how could Snowden be the first to
get this stuff when there are professional spies from several nations, not to
mention organized crime, who also want access to the info.

In fact it is entirely possible that deep cover agents within the USG had
rigged the system so that info security was practically non-existent but only
if you had the eyes of a UNIX system administrator like Snowden. Or some
foreign spy agency operatives.

Remember that supposed cyber attack on Ukraine's power systems. It is
precisely the same thing. Incompetence in security administration, nobody even
caring to do the simplest things to secure systems and networks, no real
security audits. Just handwaving and powerpoints and lots of impressive
jargon, and no doubt, impressive checks being written.

Can we do better than this? Serious question, can we?

~~~
Lawtonfogle
People get the security they pay for. Look how much a security expert will get
paid. Look at the training offered in our society to developer people into
security experts, be it during childhood, at college, or once they are part of
the work force.

Now look at how our society handles sport stars. Their pay. The training kids
get which is needed to give rise to the stars.

I'm not convince our society cares about being secure when you measure by
actions instead of words.

------
jonah
Dupe of the same story/URL I posted yesterday:

[https://news.ycombinator.com/item?id=11426849](https://news.ycombinator.com/item?id=11426849)

(On topic: the more data they collect, the more tempting of a target they
become.)

~~~
fishanz
Why would you get down-voted for pointing out that this is a dupe. Maybe I'm
missing something but I don't get it.

------
ryao
The US government should develop (when needed) and deploy everywhere things
such as OSS solutions that eliminate attack vectors like the Quark web browser
(formally verified via shim verification), Hardened OSS operating systems, OSS
software routing (no hidden back doors in things implementing network
isolation), RSA-based authentication TFA with physical elements (and physical
key pads on the secure elements for pin entry, ban internal wireless
communications (no office wifi and no Bluetooth equipment), destroy equipment
if it is suspected to be compromised, etcetera.

The idea would be to put mitigations into place for every imagationable attack
vector by breaking everything but the things that are necessary and isolating
the things that are left. That ought to make breaking into systems harder. It
will likely never happen though. If anyone in charge of IT for even a portion
of the US government did this, he would probably get fired as soon as those
who can fire him experience proper security.

------
MikeHolman
Amazing. I can't help but wonder though why the FBI is telling us this at all.
Are there disclosure laws prompting them?

------
deepnet
The Ken Thompson Hack :
[http://c2.com/cgi/wiki?TheKenThompsonHack](http://c2.com/cgi/wiki?TheKenThompsonHack)

A compiler that inserts a backdoor ( and the backdoor inserter ) into anything
it compiles but contains no backdoor in the source code.

Infect one compiler and then everything that follows has a backdoor.

~~~
MikeHolman
Isn't DDC a sound countermeasure? And hasn't it been shown that up to this
point that has not happened?

IMO that attack is as grandiose as it is unlikely.

------
koolba
... but they still think they can keep cryptographic backdoors secret.

/s

------
ziedzic
Incoming Patriot/USA Freedom Act 2.0

------
lifeisstillgood
Presumably you can never know you are clean from this point on. Any state
sponsored group that has been in government servers this long will have spread
to pretty much every part.

is there anyway to break the cycle?

~~~
fapjacks
Germany is buying a lot of typewriters.

------
mmaunder
This is two months old. I guess vice made it new again.

------
lowglow
MHG sounds like a really good hacking group name.

------
vonklaus
This shouldn't be news. Snowden broke the NSA leaks ages ago, everyone should
know a mysterious hacking group has access to gov files...

