I am all in favor of more training for avoiding social engineering attacks, stronger encryption and security for all devices and networks, and generally making digital systems as robust as possible - and then keep investing resources in these hardening activities.
The really sad thing is that so many people, including my congressional representative who I contacted on this subject, just don't get it: securing our systems is on par with fighting terrorism and conventional defense capabilities, and should receive the same resource allocations.
It goes without saying, but I will say it anyway: encryption backdoors will severely weaken efforts for economic growth and for defense.
The obvious consequence of the hack of the Office of Personnel Management. All the details of all clearance holders, including the background investigation into their personal lives, finances, psych evaluations, etc.
Overall a bigger disaster than the Snowden leaks, but it was too embarassing to explain. No one got punished for letting it happen.
I hate how this shit is even in computers at all, much less networked ones. Can we not just revert to using paper and folders and filing cabinets for stuff like this until hacking computers isn't so trivial?
Are you suggesting that one of the largest HR depts. in the world revert to paper & filing cabinets? Can you imagine the massive cost of that? The efficiency loss? It would be staggering.
Governmental record keeping of this sort is literally one of the first uses for computers.
This shouldn't have been stored on an unclassified, publicly accessible computer. This is a prime example of how the aggregation of unclassified information can be used to derive classified information.
Example... oh, there's lots of people with TS clearances in this little town in the midwest. Maybe there's something to that. Let's check it out.
Apparently during ww2 the editors of a SF mag worked out something nuclear related was going on at los Alamos by looking at the cluster of subscriptions
I really do not think the efficiency loss will be large.
One centralized location that you can phone in with some smart authentication system, human workers for the rest of it. Getting cleared already takes a while (weeks or longer) so what's the huge problem with keeping the classified stuff actually safe?
At this point I don't feel especially confident that any of this stuff is going to stay secure given the prevalence of leakers and hacks. The choice is store on a computer and accept that it is going to be leaked at least occasionally or do not store it on a computer.
There were 21.5 million records stolen. If each file averages 5 mm in depth thats over 100 km of depth you need to have (you can do similar calculations for height/width).
If the OPM computers currently average 1 query per second (a number I'm pulling out of thin air, but one I'd guess was conservative). Even if you restrict that to 8X5 business hours access (an efficiency loss in itself) you have 2400 phone calls to answer and then traverse of the gigantic document store we created above.
I think this is one of those cases where people have very bad intuitive understanding of the scale of the data and what dealing with this kind of data looks like in a physical form.
Aside from the obvious huge national security implications, this hack has been a pain in the ass on a personal level (the wife and I literally have a "days since someone tried to use our identity for fraudulent purposes" counter, it rarely gets above 30 days). We are both victims of the OPM hack.
Kind of ironic. My understanding is that personal information is collected (in part) to weed out people who would have histories that make them susceptible to blackmail.
People who deploy to war zones (for 12 months), or get sent on rotations to Boringtown, Iowa, get sad, divorced, gambling habits, alcoholism. The military pretends that everyone has good Christian marital relations; getting divorced can be a career killer, and getting caught cheating also. It's a mess.
It turns out that none of those problems is a very good indicator of insider threat. Hardly anyone gets blackmailed, all the big ones were volunteers. But the paranoia gripping the military at the moment will cause crazy damage. Kind of like a bear being bitten by fire ants, slashing itself all over.
Money - honestly, the spy agencies never really paid all that well. John Walker got a couple thousand a month from the KGB. If you're spying for cash, frankly you'd be better off getting a second job.
Ideology - This is probably where younger people who didn't grow up in the Cold War era are vulnerable. "But they're our friends now, right?" Nation-states have interests, not friends.
Compromise - Make sure you're not in a position to get blackmailed. If you do get blackmailed, work with the security people.
Money is mostly used to compromise civilians who are in debt as that pressure makes them more vulnerable, especially if it's debt to organized crime. A common tactic is to give desperate people a medium chunk of cash to do something minor that the handler can still spin as treason afterwards, which then hooks the informant and allows the handler to pay him relatively small amounts until they are burned. Money doesn't work as well because the people in a position to command large bribes usually have emotional connections that money can't overcome (but M+ICE sometimes can).
I don't know many details about the CIA's black budget but I'd imagine it can be used to quickly gather hundreds of thousands or millions of dollars for especially promising informants.
Your credit is checked when you get a clearance. The higher level clearances have stricter requirements. It doesn't prevent people from being bribable, but it seems like a sound defense measure.
If you don't allow bad credit then the new bribable, grey market, and or theft point is a minor credit mark.
People with ethics problems usually understand the gamified parts of society better than the rest of us and leave their fall out everywhere that we haven't gamified yet.
Stan Smith realizes his credit card payment for his new gadget was sent out a day late and calls his credit card company in a panic. He can't afford to have his clearance suspended. The foreign support agent tells him he isn't allowed to fix that, but as a favor he does anyway.
Stan is surprised when the lawyer assigned to his foreign suspect by the embassy makes a reference to these new gadgets (perhaps coincidentally?)
What does Stan do? The problem is who can alert Stan's supervisor and how likely it becomes that every agent can be blackmailed as you move toward a zero tolerance policy.
One late payment won't hurt. IDK. Pay your bills on time and immediately tell a superior. This just doesn't seem practical. You ar almost never penalized for things like this if you report them. One late payment won't really touch your credit anyhow. Just seems much harder to exploit as th instructions for things like this are very clear and any TS or better holder routinely reports anything like this.
Defense contractors are more prominent, but I would be astonished if they were not heavily targeting generic US tech firms as well, especially those involved with key infrastructure components and services.
This becomes a lot easier when a fifth or more of their employees are Chinese nationals.
Yep. We're getting more and more briefings, and training in avoiding social engineering, and opening ourselves up to making terrible mistakes with classified information.
Some folks in our industry do use exploitative sales tactics, but that is not fair blanket statement. Services like preventing phishing, for example, are a big deal and I don't think I have to convince anyone it is a real threat. Most of us just use honesty about actual risks, not FUD. Just making people aware of security as a concern, from HR to developers can have a big impact and mitigate real risks.
I suggest that you don't buy the hype and the bullshit. All this China/Russia stuff... It's nothing new, and it's not like the US doesn't do the same, and worse.
And yet here we are, talking about the russians "hacking elections" and the chinese stealing "economic secrets", the first topic, pushed by infosec companies that also have political-economic interests, is being presented without any proof whatsoever, and the second topic clearly showing the level of paranoia in which US people live (IIRC, some espionage cases involving chinese citizens were proven in court to be false).
Perhaps US people and their govt should care more about their own people being extremely greedy and true psychopaths before judging foreign govts and nations...
From where I dwell (China), this link comes back with
Error 403 Access to this resource is denied
Access to this resource is denied
Guru Meditation:
XID: 24445124
Varnish cache server
Is this only available from certain places, e.g. the U.S.? If so, given the international nature of Hacker News and the .com domain, perhaps this should be labeled China's HUMINT operations against defense contractors in full swing (USA only).
The really sad thing is that so many people, including my congressional representative who I contacted on this subject, just don't get it: securing our systems is on par with fighting terrorism and conventional defense capabilities, and should receive the same resource allocations.
It goes without saying, but I will say it anyway: encryption backdoors will severely weaken efforts for economic growth and for defense.