Hacker News new | past | comments | ask | show | jobs | submit login
US Customs Database Of Traveler Photos Was Hacked And Stolen (buzzfeednews.com)
825 points by pseudolus on June 10, 2019 | hide | past | favorite | 198 comments

> On May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network

> CBP ... is closely monitoring all CBP work by the subcontractor

What. In the private sector, they'd have been fired and probably legal action levelled against them. The CBP's punishment for this is 'monitoring'? Please tell me I'm reading this wrong...

“In the private sector” covers a lot of ground and I have extreme skepticism about your faith in the process unfolding that way: ask yourself how many breaches you’ve been part of and whether anything more than a press release happened along with waiting for the news to die down. How many customers did Experian lose?

(In the enterprise software world, I can tell you how epic failure to perform on an 8+ figure contract unfolds: the sales guy takes a VP out to the next game so they can discuss it over drinks in the corporate box and nothing will change)

I don't have _much_ experience with this but when I worked for a UK based e-commerce SaaS provider (which was focused on image, so, ymmv) we completely buried a contractor for using sub-contractors which didn't follow our data security standards (which the contractor knew about).

a breach wasn't found, but that contracting company eventually became bankrupt under the weight of our negative press and litigation. I know that this is essentially bullying but it was used as an example to other contractors who might try something like that.

Incidentally the SaaS provider no longer exists, gobbled up by netsuite (which was, itself, acquired by Oracle).

There's pretty strong selection bias in information about data security standards. The companies that have strong ones will go out of their way to publicize that fact, but companies with weak or nonexistent ones will never admit that fact to the general public or news media, and the only thing you may hear about it is when disenchanted employees make anonymous posts on web forums.

If a company with weak data-protection standards wins out over a company with strong ones, it's never because of their lack of data-protection standards. Rather, it'll be because all the other features, pricing, marketing, etc. they can do that's the opportunity cost of decent security. So as far as the information available to laypeople is concerned, most companies do a decent job with security and it's just a few bad apples that happen to be gigantic like Equifax, Facebook, Target, Yahoo, Anthem, and the U.S. government that are screwing things up.

(FWIW, at Google we took security very seriously and implemented some truly heroic measures to keep your data safe.)

> How many customers did Experian lose?

Experian didn't lose any customer data, though. They only lost data on their products. Their actual customers had no reason to stop paying for their services.

It was Equifax not Experian.

It think it's telling that, in this instance, it really doesn't matter. It could have been Experian, with the wave of a butterfly's wings in Himalayas, it was Experian and nothing changes in that alternative universe.

Some of these https://krebsonsecurity.com/tag/experian-breach/ look like Experian is leaking like a sieve, or am I missing something?

Experian makes its money selling credit checks to banks and other businesses. You're not their customer, you're their product.

Ha. In the private sector, we discovered a vendor was using an actually health database with real users in it for testing their app. It was all covered up, with no monitoring, because we recently bought that vendor.

Sounds like pretty standard PR legalese to me. I guarantee that the same is going to happen to the subcontractor (after a lengthy investigation, to be sure), but it's bad practice to go throwing around public legal threats, especially for the government which likely has a multi-hundred page contract with these people, and especially at such an early point in any investigations going on.

This is unless the corruption includes those who are managing the subcontractor identified. In which case, the subcontractor is blacklisted and the people responsible move onto another company (ie, Initrode vs. Initech).

Yea, that's one of the more disturbing modern trends - especially at the C-level, once someone is in that cloud they tend to just rotate jobs consequence free... and maybe occasionally run for president after doing their best to bankrupt HP.

I agree that an individual unfairly blamed by a company for their failure should be able to move on with their life but... we've seen plenty of clearly guilty people get out with a golden parachute and turn to serving on the board of directors of companies for the ridiculous sum that tends to net you.

Playing devil's advocate (and this is likely to be downvoted by the "we hate all management" crowd on HN), but the reality is that there isn't exactly a very large pool of people who have experience running/directing multi-billion dollar companies. If you start blacklisting every single C-level that was ever involved in a controversy, the only choices you're going to have for your board of directors are going to be people that have very limited experience making executive decisions.

IME, this is especially the case for security positions like CISOs, where the pool of people with such experience is excruciatingly limited to begin with (and no, a high level engineer/developer does not have the same skillset as a security professional).

There's also something to be said for allowing people to learn from their mistakes. It's obviously higher stakes for an executive, but it's along the same vein as how we don't blacklist-for-life the developers who write vulnerable code.

This has come up a number of times and I semi-agree with you. It's definitely true that C-level positions do take a special kind of problem solving to navigate with a high emphasis on time management skills that other people (even upper management) can usually delegate up... That said, the only thing restricting new entrants into that market is the resistance of that market. The skills it takes to be a CEO of a multi-billion dollar company are certainly beyond me currently, but it's a skill I could train up to if I tried - especially if I had chosen to do so earlier in life. And these positions do come with a high amount of responsibility, buuut... they don't produce value for the company at all in line with their salaries and they're certainly not irreplaceable.

I don't hate management, I've worked for some great middle managers that have made my life easy - and for some terrible ones that constantly over-promised and pushed the weight down on us in the trenches. For upper management I've worked for three main veins of persons, the ones that micromanage and attempt to constantly invest themselves in every problem - leading to an inability to make good high level decisions... the sort that are removed from business by such an extent that they are unable to reason about direction decisions and fail to support a company's natural growth.. and those that are approachable but limited, who will voluntarily back out of any low level decision discussion but coordinate what decisions are being discussed and what those decisions mean for other portions of the company.

So mainly I'm rejecting your assumption that the pool is limited to begin with - people do come from famous families and waltz into the field with no prior experience, and those who try to work their way up tend to be stifled due to their lack of experience.

I'm not sure I agree with your first paragraph. I mean no disrespect to you or your abilities, but being a C-level executive, especially in a large corporation, isn't something that someone can just "train up to". These types of positions really do require a specific personality, specific desires, often a specific ethic (work ethic and otherwise), specific connections, and more. These are the things, along with the fact that due to organizational hierarchy, there are naturally less CEOs in the world than there are entry level workers, that limit the pool.

I'm certainly not saying that all C-levels possess these necessary traits in a positive way, and there are definitely some C-levels that only got where they are because of nepotism or luck, but I also disagree that there is a significant 'stifling' of newcomers. Nearly every company I have worked at has had a specific "track" for its employees to pursue management (including C level) positions, but my experience is that most people just aren't cut out for it (either because they self-selected that they didn't want/enjoy it, or because they didn't have the necessary personality for it). More specific to the tech industry, I've often seen/heard of Silicon Valley companies having separate "Individual Contributor" versus "Management" tracks. Many engineers self-select the IC track because they don't enjoy management aspects.

And that's not necessarily a bad thing, either. Not everyone is destined to be a CEO, nor should that be everyone's goal, and there's definitely nothing wrong with not being a possessor of the negative-in-many-aspects cutthroat ethics that being a CEO often requires. It's not all too dissimilar to how not everyone is destined to be a programmer, and you can't take just anyone off the street, hand them a programming textbook, and turn them into Linus Torvalds, nor should you.

> I mean no disrespect to you or your abilities, but being a C-level executive, especially in a large corporation, isn't something that someone can just "train up to".

My hunch is that this is no more true of C-levels than it is of any other profession where some natural aptitude (eg. above average intelligence) is required. In other words, I think the "pool" of C-levels is small almost solely because of organisational hierarchy; for every C-level there are many more people with the required natural aptitude who are not C-levels. Of course, for a sufficiently narrow domain, the intersection of people with the required natural aptitude and people with the required years of domain experience may become very small.

In that sense, I think being a C-level is something that many people can just "train up to," if given the right opportunities. I'm not sure if there is any empirical evidence that could tell us who's right.

You could look at experience vs performance.

I've seen enough "emergency temporary promotions" succeed in their job that I tend to agree with you and not with the self-serving "I am special" arguments you hear from people in these circles.

> If you start blacklisting every single C-level that was ever involved in a controversy, the only choices you're going to have for your board of directors are going to be people that have very limited experience making executive decisions, and the usual explanations proffered by the "we hate management" crowd - of nepotism, insiderism, back-scratcher-ism - are more likely valid.

If we revert from "involved in a controversy" back to "has demonstrated extreme incompetence", your argument carries less weight. We can at least say that the inexperienced new guys haven't been tested and found wanting. The

I feel that your thesis is broken by definition: if there is such a small pool of people with this level of experience - so small that they are worth the money and are super difficult to replace - shouldn’t they have already made all their mistakes? Isn’t the board, by definition, paying for people who have a very high chance of making good decisions?

> shouldn’t they have already made all their mistakes?

Is there some finite limit of mistakes that humans make over their lifetimes? In fact, it would be the opposite - those who are making more decisions are by definition likely to make more wrong decisions, as compared to someone who doesn't make as many decisions.

> Isn’t the board, by definition, paying for people who have a very high chance of making good decisions?

Yes, which is why the salaries for such positions are often so high.

> Yes, which is why the salaries for such positions are often so high.

The demonstrable lack of financial repercussions for failure, which you are arguing is justified in some cases, belie this causal relationship. I'd echo Taleb and sat that if an elite class is to be healthy, incompetence must swiftly and summarily result in expulsion.

They probably are doing some sort of critical service that can't be immediately stopped. That doesn't mean they will get contracts in the future or won't get legal action taken, but it takes time to review all that with the DOJ and decide how to proceed.

Remember the time Experian got hacked and the CEO subsequently retired with a $90M payday? The private sector is just as consequence-free.

Only politically connected companies, if you and I ran a business like that the outcome would have been different. The state has no problem going after small businesses.

The problem is that once you’re over a very low level all companies will be politically connected: those are jobs in someone’s district!

Yeah, no. If you only had to be a medium sized business owner to access that kind of corruption the world would be a much fairer place.

This is kind of tautological, because if you're keeping databases of this size you are necessarily not a small business

Who said the database needed to be of any particular size?

Experian got hacked? Or are you referring to Equifax? I thought Experian was one of the ones with better security.

If this is a subcontractor, it is the private sector.

I'd expect at least huge fine and re-evaluation of the whole contract (it could be they are unique provider that can not be replaced, but more likely there are other options). Looks like causing private data of hundred thousands of people to be stolen is regarded as a minor thing not worthy of real punishments.

Equifax is in the private sector.

> In the private sector, they'd have been fired and probably legal action levelled against them

Tell me again one meaningful action against a data leak in the private sector. I'll wait.

Don't you remember how Equifax was hacked into and their stock price briefly dropped? Then they were burdened with all those email addresses people entered to check their credit... And they had to pay the ultimate price by spamming those addresses constantly with advertisements, and that's not cheap!

And as a free service, I can now have them email me whenever my credit score changes, so I can log in and see that I fluctuate up and down 2 points routinely for "algorithm changes". Take that, Experian!

The issue in question isn't so much the breach, but the misuse of data by the subcontractor. I've personally witnessed people be fired for this, and know of lawsuits that exist for this specifically, and that's just at the company I work for...

The only way to prevent hackers from getting access to databases that contain our names, picture, and license plate number - is to never create such a database.

Correct me if I'm being overly cynical, but this is an oft-repeated truism that is as useless as "the only winning move is not to play." It's technically the truth, but what are we supposed to do, revert all information systems to non-electronic media? What is the intended takeaway from this statement? If anything, it absolves data security efforts of responsibility by pointing out that there's always a chance of data breach as long as there is data.

That's trivially true, but the proper response to bad security is good security, not shutting down the whole system.

They did not have to take a picture of that many travelers in the 90s (let alone social media which did not exist) and it wasn't less secure either. They probably never considered if their program is any useful or if it creates more harm than good.

I'm no fan of modern security theater but the number of plane hijackings and bombings in the 90s compared to today would seem to indicate that at least some good comes of it.

Found this source because I was curious the same https://aviation-safety.net/statistics/period/stats.php?cat=...


Hijackings were pretty much a daily thing (or three times daily thing) for decades.

Although until 9/11 the intent usually was either to get to a non extradition country, or demand something from some nation state primarily.

The source above shows a clear decrease in airline fatalities through the years but I suspect that’s due more safety improvements through autopilots, better sensors, and more redundancy than the decrease in hijackings.

You are vastly over-exaggerating. According to https://aviation-safety.net/statistics/period/stats.php?cat=... , even when limiting to the period between ~1970 and ~2003, it is about 2 per month on average. The total sum of fatalities is just over 1000 people.

This is nothing to justify the massive surveillance.

I wasn’t trying to justify the mass surveillance and I totally read that table wrong, woops! That’s a brain fart ;-).

1. Do not collect unnecessary information.

2. Delete information after use.

This will only happen when information becomes a liability.

Reasonable GDPR

Except for simply not collecting the data, the only other option is making the cost of retrieval be equivalent or greater, irreducibly, to the expected value of keeping it.

Approximately, the digital equivalent of having a human rifle through filing cabinets to get to that one folder that is actually important.

To this day, the only reliable way to achieve this has been printing things on paper, especially if put in individual folders do that even OCR efforts take some human work.

Time spent by human hands are, in a way, the only somewhat fair currency to measure privacy in.

The objective afaiu was to expedite entry into the country by creating a database of faces and personal identity information. And that's a great objective.

But often the risk of personal harm outweighs the benefits. And in the case of digital assets the question is when, not if this personal data will be exfiltrated. And when it is, that is often more inconvenient than any potential convenience benefits.

I am not going to speak for the OP, but the way I would read it is, don't keep centralized pot of gold,aka centralized servers, don't do dumb lazy things aka plain text passwords, etc, don't collect all that extra data, store data with good encryption,don't trade short term convenience for long term harm , FWIW, my personal view is that we should keep pushing for both , less data and more security for the little data we allow our governments or private companies to collect

there are ways to store this information without storing the photos. Developing signatures which are stored and discarding the photos, for example. Consider how a site like haveibeenpwned works.

The photos themselves are pretty useless anyways. A database of images will only ever be searched by an ML algorithm for which signatures should be good enough anyways, or manually, based on highly specific timestamps, by some form of police.

> an oft-repeated truism that is as useless as "the only winning move is not to play"

Not sure why you see that as useless; it's basically the moral takeaway from Hamlet. There are many situations where it's best to not join in 'the game'.

And this is the same group that can force you to give them your social media credentials on entry. Terrific.

Edit: Wait, just social media handles/account names, not login details. That's less ridiculous. My mistake.

If someone hacks into the DHS or DOS database and gets your ESTA / visa application information, trust me, your social media handles leaking will be the least of your problems, there's plenty of juicier information about travelers in there already.

hey at least your insta stories and snapchat stories are safe, hurray to ephemeral messaging ! /sarcasm

Credentials or just account names?

I thought it was the former but checking again it looks like I misread and it was only the latter. That's still pretty rude but nowhere near as bonkers as I thought it was.

The goal isnt to prevent it in an absolute sense. The goal is to raise the cost to either above the value of the data contained therein or compared to other direct means, like in person espionage or military actions.

Single points of failure via centralization, comparable to monoculture in farming

This is yet another reminder that managing the security of your company's third party contractors is just as important as managing your own company's security. Security is a game of weakest links, and it wouldn't have mattered if CBP's internal security was the best in the world if they were allowing access to a third party that doesn't have good security.

It is naturally very difficult to enforce security mandates on a company that isn't your own, but I feel that this is one of the best ways we can improve security overall in our society: companies need to start requiring that everyone they do business with have a strong, independently certified security program, or else no contract will be signed. This is already done for things like data center contracting, but it should be much more widespread and encompass every type of b2b deal.

From the article: "The subcontractor's network was then hacked, though CBP said its own systems had not been compromised."

No, actually your system was compromised by allowing the subcontractor to copy the data to another, more insecure network.

> requiring that everyone they do business with have a strong, independently certified security program

As a start how about requiring ISO 2700x security certification?

Quote from the article:

“There should never have been the ability to download a database like this off of government servers.”

Sorry that I don't have a ton of links to support this claim, but "believe me" (as our Commander-in-chief would say) that the US Government would cease to function if it were not for subcontractors (read, private companies) performing tasks on behalf of the government. Personally, I don't agree with this way of our government doing business, but that is the way it is.

When I was in college, I worked for an archeology lab, and our lab was the subcontractor, of the subcontractor, of the contractor that had contracted to provide a service to the USACE (US Army Corps of Engineers). And every way along the way, money was skimmed off of the top. It's just "the American way" of doing business.

People lament regulation all the time. I have a feeling the executives of Ingersoll Rand love it every time a new regulation is put into place.

Follow the money.

> “CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” said an agency statement.

How long will it take the general public and elected officials to understand that the only authorization that matters for digital data is the actual implementation. Policies, legalese, mandates or any other agreements are meaningless.

If the data can be get at from or transferred to outside of a controlled environment, it will.

I’ll just keep saying this, and getting dismissed by everyone I know - any data security discussion around a centralized data store that doesn’t begin with the recognition that that data store will be compromised, is a discussion that is just a joke.

You and a whole bunch of other people making the same extremely basic observation. It would be good if you would suggest some alternative strategies, since 'don't bother keeping that data' isn't a realistic option in this context.

Part of my job is designing software that is resistant to amplification once the hacker is already in, so maybe I can help here.

When you plan your security, step 1 is making it hard to get in, step 2 is making it hard to persist, i.e. plant a command and control process somewhere inside the perimeter, and to move laterally in the system, i.e. get from one service into a more important service.

There's some basic stuff, such as firewall rules that prevent outbound traffic from ports/processes you aren't expecting. That makes it harder for the hacker's command and control systems to get instructions. There's other stuff like using separate credentials for low sensitivity vs high sensitivity systems, two-stage approval processes for especially sensitive operations to prevent a single compromised user from being able to get to the good stuff, automatic password rotation so that exfiltrated tokens aren't valuable, and more.

Those are just single things though. I think the more interesting part is an exercise like this: assume that the hackers have compromised a developer's computer. In that case, what does a system look like that would prevent that developer from exfiltrating payment info? I would argue that the developer doesn't normally need access to real payment info, so maybe the network should be configured so that the developer is unable to SSH into that set of database servers without first requesting a special short-lived SSH keypair. That at least means the developer has to explicitly ask for access. That doesn't make the hacker's job impossible, it just makes it harder. Also makes things less convenient for the developer, so is it worth the trade-off? For especially sensitive data, it probably is. With this setup, maybe the hacker gets to the account information, but they're stopped short of account numbers long enough to notice the breach.

This is all on the theoretical side, but that's the thought exercise once you go "let's pretend someone compromised ____ system."

One of my favorite Hacktober tricks was putting an alias around SSH on the developers machine, so the next time they used 2FA to get into a remote host I would drop a note into their MOTD (to prove persistence). That short-lived SSH token would be enough to install persistence.

So obviously, your payment hosts should be very wary of things like port forwarding over SSH, and any unknown outbound traffic.

Yup, at some point it just becomes an arms race.

The fundamental imbalance in such an arms race is that the tech giant might have countermeasures that would prevent the SSH alias from working (my team does), but the level of paranoia required to get those countermeasures in place is beyond what a bank could effectively implement. This particular battle disproportionately favors the red team.

And that's not to say that my team has everything covered. The red team consistently manages to find forehead slapping holes in our defenses. There's just too much surface area to cover.

Really enjoyed reading this, thank you for the time you put into it and the clear explanation.

1. Don’t bother collecting the data since it is not a net gain.

2. Don’t collect data that doesn’t actually help enforce any laws.

3. Don’t produce new legislation that doesn’t actually solve any existing problems (it is already illegal to break the law).

4. The best way to keep secrets is to not have secrets in the first place. Once you have secrets the best way to keep secrets is to not share them.

sure it is! you don't need to keep a centralized photo db of every person who enters your country all in one place, even to build ML models on. This could have been federated in a variety of ways that would've reduced a breach risk.

Or, we could avoid building a massive surveillance network that doesn't help make our world better.

I'm not arguing for centrality, but how do you see this actually working? People submit photographs when they make visa applications, so how are you going to store that?

These were not photos submitted with visa applications.

> The compromised photos were taken of travelers in vehicles coming in and out of the US through specific lanes at a single Port of Entry over a one and a half months period.

The article also mentions this was part of a new program to use facial recognition on everyone entering the country. We've never had that capability before, so I see this working like it always has.

Regarding the visa photos, it depends on what they're used for. In general I'd prefer avoiding ongoing surveillance as much as possible, which reduces the need to keep digital photos preserved in accessible places.

I’m not sure why you’re being downvoted; I think it’s a fair comment. My response is that I’m honestly not sure what the best response is. But if we start with insecurity as a given, then I feel like we could at least be exploring better alternatives around... people storing data locally and always providing it for every interaction? Maybe.

Why does decentralization save you from compromise?

I wouldn't frame it as decentralization, more like compartmentalization. You harden your systems to prevent horizontal movement between services.

For example, you could try to put payment credentials in a separate subnet where they are never read out of that enclave. Access to that subnet might require separate authentication credentials that most employees don't have, and API calls might require the calling server to possess a separate type of short-lived certificate. So when the main DB is compromised through an employee, it's still hard to laterally access more sensitive data.

It sounds like CBP might have done that.

What was stolen:

> The compromised photos were taken of travelers in vehicles coming in and out of the US through specific lanes at a single Port of Entry over a one and a half months period.

What wasn't stolen:

>No other identifying information was included with the photos and no passport or other travel document photos were compromised, the official said. Images of airline passengers from the air entry and exit process were also not involved.

> On May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network

Sounds like CBP's issue was less about compartmentalizing, more about controlling for how the subcontractor accessed the data.

Honestly the problem sounds more like something borne from ignorance than malice. It's a headache having to download every image you have to analyze, so why not copy the whole thing to a local network drive and work with it here? And then some hacker lifted it from the local network drive.

Anyway I wasn't talking about the CBP specifically. I was responding to the question about why decentralization saves you from compromise. My response was that compartmentalization is useful for damage control.

Great job, thanks guys. Shouts to NSA and the whole security industrial industrial complex for looking out for us. Glad to see all the research and 0day hoarding paid off. Really appreciate it.

You can outsource work, you can't outsource responsibility. It will likely be a long time before the various powers that be really get this.

Isn't monetary liability a form of "outsourced responsibility"? I'm not understanding why damages from lawsuits are not sufficiently motivating the industry to take data breaches seriously. Maybe they just aren't awarding enough damages to change behavior?

Think liability insurance, by the same companies who charge you healthcare. We are spreading the cost of irresponsible folks across society then bailing out the companies who make those choices.

The photos were transferred to a subcontractor’s network and later stolen through a “malicious cyberattack,” a CBP spokesperson told TechCrunch in an email.

Anyone think they approved the security of that subcontractor before giving sensitive information to them?

More importantantly, why is that type of data leaving CBP in the first place?

Compliance with NIST SP 800-53 is mandatory per statute and DHS policy. That system has an identified ISSO, ISSM, ISSPM, DAO, and AO who are responsible for authority to operate being given. If the paperwork is in place, a government employee signed off on that network's operation. If not, it doesn't have ATO and there's a government employee (the AO or CIO) responsible for allowing a such a network to be connected to government systems and store government-controlled information.

I worked at a government contractor who was rolling out NIST compliance. Everyone, from IT to engineers, hated it. You can rest assured that as soon as someone isn't looking, they're going to violate it.

I have never come across a compliance policy that people didn't hate.

Compliance, almost by definition, needs to make people's job harder, or create extra work. Because people are lazy, and they tend to go for the path of least resistance, and those are not good things in the context of safety and security.

Compliance is a tool. It's used to enable security iff the C-suite want to use it that way; otherwise, it's just another meaningless metric.

> Anyone think they approved the security of that subcontractor before giving sensitive information to them?

They almost certainly did, actually. FIPS [1] and FISMA [2] are pretty strict requirement for every company contracting with a government agency. IMO it's one of the rare situations where, at least conceptually, the federal government has done something right in terms of security.

Now whether FIPS/FISMA, and the people enforcing it, actually have any teeth or effectiveness is a different topic entirely.

1: https://en.wikipedia.org/wiki/Federal_Information_Processing...

2: https://en.wikipedia.org/wiki/Federal_Information_Security_M...

If Fedramp is like other security certifications, written policies can be used in lieu of actual enforcement.

A policy could be something like:

"Vendor shall not move sensitive data out of CBP's secure network"

So it's pretty much on the honor system. And some new employee at the vendor may not even be aware of all of the policies they are supposed to be following. The vendor is still reponsible for that employees actions, but it can be discovered too late (as in this case, the breach was already made)

But instead of just a written policy (among dozens or hundreds of others) that people are expected to abide by, this could be enforced by limiting the vendor's access to the network. For example, by counting how many records they access, how many bytes of data they download over their connection to the secure network, or not giving them direct access at all and exposing only an API controlled be CBP that gives them access to only the data they require)..

Most of these are so called "paper security", while some real technical vulnerabilities can effectively crash all these fictional barriers.

At best, ads. At worst, ...

Don't worry folks, I'm sure this won't hinder the CBP and other related agencies from continuing to roll out systems that capture ever more of our data.

The sad truth is Congress is the biggest offender of poor network security practices. Every time they bring in Equifax, DHS, etc to explain why they didn't practice basic IT security due diligence or due care I am reminded of the time smart people were hired to implement basic network security for Congress. Once they realized Joe in IT (who was hired to keep hackers out) can see Congressman Bob has a foot fetish, fish fetish, whatever, Congress told IT to turn everything off.

Not far off from what it turns out (after investigation) really happened![1]

[1] https://en.m.wikipedia.org/wiki/Imran_Awan

> Not far off from what it turns out (after investigation) really happened![1]

> [1] https://en.m.wikipedia.org/wiki/Imran_Awan

I don't see how that link supports your conclusion? From my reading of it, no data was stolen by Imran Awan?

There were more serious allegations against the individual, but the gov't dropped those claims. All that was left was the fact this individual had extensive access to Congressional servers.

Rule #1 about databases: It will be hacked. Rule #2: see rule #1

That would imply that security is irrelevant. Maybe you should re-work your rule the say that it will attempt to be hacked. Therefore you should always worry about security.

Security is not irrelevant, but that doesn't mean that everyone won't be hacked. There is a saying in the security world: "there are two types of companies: those that have been hacked, and those that just don't realize yet that they've been hacked".

Of course we shouldn't just 'give up' and stop trying to improve our security, but the unfortunate truth is that breaches are practically inevitable. In addition to constantly striving to improve our security, our society also needs to start investigating ways to make it so that breaches are less impactful (for example, stop using SSNs as any type of secret identifier, so that if an SSN database is breached, it doesn't matter).

I'm with OP here. You just shouldn't have unencrypted, sensitive data in a database.

I kind of think you've misunderstood something. This person said "You will be hacked". A guaranteed absolute. If that were the case then why bother protecting anything?

His wording was misleading. Not his intentions. Nobody is in disagreement that security is very important.

I disagree, his wording was pretty spot on. Don't collect personal data - it will be hacked. At many of the businesses I've worked at I've made an effort to lower our PII data blob purely to reduce liability for when it was compromised. If you can see some information, a hacker eventually will.

Granted, lowering liability is apparently something I shouldn't worry about since no one is ever held to account for breaches these days.

If that is what he was going for then alright. My bad.

It doesn't imply that security is irrelevant - it's just that you shouldn't really expect to succeed in preventing all attacks (since noone does), just reducing their number.

This implies that in addition to reducing the likelihood of breaches, you should also focus on all the other aspects of security, especially detection and mitigation; and for databases one of the main ways of reducing the impact of breaches is to avoid storing sensitive information as much as possible. In this particular example, was it really necessary to store pictures of license plates beyond a very limited period of time? A breach can't leak what you don't store, and you will get some breaches.

I think OP is arguing that you should worry about security AND collect only what's strictly necessary.

That's absurd. This statement is exactly why we use algorithms like bcrypt to store passwords. If we could be confident that our database wouldn't be hacked, we could just store passwords in plain text and save a whole lot of CPU cycles.

Either that or rework what data you collect so that when you get hacked/leaked it's not as big a deal. Or don't collect data at all.

Security is relevant, it's what determines how long until you're hacked.

At a minimum, if something is secure by design, there's way less to worry about.

no, the goal is not to make it unhackable because its impossible but to make it really really costly/difficult to be hack.

Just another reminder that there is no accountability left in America, and you reap what you sow. If you want a society that is accountable, you need to start with a culture that values honor and takes shame seriously. You can’t impose a sense of honor from the outside without building it slowly from within, any more than you can impose respect without earning it.

If you ignore these principles, you make room for people who lack self-worth, and those are the most destructive forces in a society because they have nothing to lose.

Can I play devils advocate here?

This is, of course, a serious breach and there will and should of course be consequences for the negligent parties


I am struggling to see the threat model being faced here.

biometric data is just a username. I flash my face around all day, and am careless as to where I leave my thumbprint.

The loss of so many photos and names is unlikely to have national level consequences (Compare this to say the Office Of Personnel management breach from some years back - that has horrible implications for US National security for decades) and the personal level consequences are ... hard to see

What this does underline is that we are outrageously careless as an industry with our data (comparable to early industrial "pollution" as Schneier points out). And it is not going to get better without a) career and business ending consequences b) new ways to store / secure data c) a new way of thinking about who owns and what is personal data

Personally I think we need a new form of intellectual property (just as we are trying to work out what kind of company FAANG are (not telcos, not newspapers, what is a platform?) we need to ask what is personal data

This comment is presumed under law to be my property, my copyright. I might license that property away (dunno never read HN T&Cs) but it is mine. But google and apple and others will track that I sat down at a certain time and place to write it, my ISP will see when I sent to which servers.

All of that data is also created by my conscious actions - should that data not also be my property. And if need be licensed - and compensated for its use?

And when (if) my data is held - then we should presume that it can be accessed by my agents for my benefit (from spending patterns to heart data). I would argue that Sometimes surveillance can be good for us - but only in ways similar to doctors knowing more about me can be good for me - the entire industry of medicine has individual interests at its heart and took a long time to get there.

We are heading in that direction (perhaps) but till we get there, carelessness will be the cheapest option, surveillance always bent agansit is (by state or other actors). We should rail against this stupid dumb breach, but punishing the "bad guys" is not even the first step on the road.

If I can make a bad analogy - It's not one incident that people got sick from one chef badly cooking chicken - it's we need to look at factory farming and meat consumption and healthy eating and marketing bias as a whole.

>I am struggling to see the threat model being faced here.

We don't really know the full details of the breach, but if the facial recognition database contained names in a column associated with pictures, that data can absolutely be leveraged and cross-referenced against other "fullz" for fraud that even passes a lot of online verification procedures.

I agree that we don't know what was lost, and it could easily be waaay worse than I imagine

But this kind of comes back to my point - why do we have online verification systems that rely on things like knowing my address in the last three years - Equifax breach should have meant we gave up on using a credit risk scoring system as an identity provider.

But we don't.

We need to rethink what is identity (start with web of trust) and who owns data that links to that identity.

I mean this could be the start of a positive identity provider - grab that downloaded database and provide a system that says this is a picture of Paul Brian's face, and his passport, and on the 20th August last year a official of the US government compared them in real life and verified they matched (there may even be a hash of the digital images made at the time but I should not get my hopes up)

Now make that globally available. Is that useful and valuable - I think so. I would prefer if I had been able to upload my public key to that at the same time (I can always visit NYC again) but you get the idea. This leads to question like why does my passport not generate a key pair for me to use? Can I use facial recognition to match my gravatar / facebook / twitter ? Why is knowing a non-secret (mother's maiden name, passport or drivers license number, three digits on back of credit card) seen as security?

Why is it we use what we have to hand and not what is needed? Why don't american banks use chip and pin?

It's not bad that my online identity is clear and visible - as long as the legal and practical frameworks exist to support it - which they basically don't right now but we could make it happen

They've helped themselves to what seems to be limitless legal power as well as a functionally infinite budget... and still this type of incident doesn't surprise us in the least. Everyone just expects them to be one of the least competent actors in the space. And they don't disappoint. Hmmm.

If only someone could have seen this coming, you know, outside of the thousands of people that saw this coming. This is just one of many reasons why mass surveillance is a terrible.

Why is it terrible. Sure this has the potential to have negative consequences for the people who's data it was but as far as the government cares it's working fine.

Well, I guess I believe the whole government for the people by the people bit so something that is bad for the people should be bad for the government.

Now the innocent muslim community (who I expect are over-represented in these databases) gets to enjoy identity theft.

It's just a pile on at this point.

It says license plate images from a single point of entry so it probably represents majority Mexican or Canadian people.

Who could have predicted this would happen?

anyone ? Why is a 3rd party given the ability to store such a large database to conduct such business ? They should at most store the last 3 months border documents, nothing older than this.

I _think_ OP was trying to be sarcastic.

I think you can remove the "think".

CBP database with images of travelers and license plates breached via a subcontractor with access to CBPs network. Updates to follow.

Nothing else in the article.

"First you say don't take your pictures. Then you say don't lose them in a breach. Make up your minds!"

If CBP is not directly forthcoming with facts relating to the breach (specifically, whose information was unlawfully taken from the CBP production network) how does one seek redress for the harms created by the actions of the contractor?

I haven't crossed the border in twenty years but I'm probably in this or a related database.

I'm a long distance trucker. A few weeks ago I was traveling north from Laredo. When i drove through the border patrol checkpoint, a bank of five or six cameras to my right flashed, i assumed getting my face, license plate, and likelihood of committing a crime in the near future.

The truck is registered to my employer, but I'm sure that can lead to me with a WHERE clause.

At the least they would know where they've seen this face in this truck. I wonder if being in a different truck would be suspicious. I guess it would be if they needed it to be.

Seems reasonable for the federal government to pay states to send new license plates to affect the compromised ones? I'm not under the impression license plates aren't recorded in public anyway, but still.

"...though CBP said its own systems had not been compromised."

That's one way of looking at it.

The amazing thing is we became aware of this practice back in early May. It is now June and it has been hacked.

A large collection of valuable data that was questionably secured was somehow stolen!? Say it ain't so!

> “Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract,” the statement read.

Could this lead to criminal charges? Perhaps charging the contractor under CFAA for unauthorized access?

Only if the contractor was not meant to have access to this data. I would put money on them being contracted to "securely manage" the data CBP accrued without consent.

Sounds like Perceptics.

Yes, one of the bright lights at CBP left the name in the title of an otherwise redacted Microsoft Word document, confirming that it's them.

seems very likely, wapo journo broke this and it's alluded to: https://wapo.st/2ItjHfW

The Register reported the Perceptics breach on May 23: https://www.theregister.co.uk/2019/05/23/perceptics_hacked_l...

Sorry I was unclear and linked to the wrong article, I meant that wapo journo poking around led to DHS & CBP responding on the record. It was one in the line of recent articles about facial recognition that travelers can opt-out of but nobody is sure how exactly you are supposed to do so. The wapo article I linked did attribute The Register info linking Perceptics. Both wapo articles are linked in this tweet: https://twitter.com/geoffreyfowler/status/113817627922244403...

> And on Monday, after I published this column online, Department of Homeland Security officials called me to disclose that photos of travelers were recently taken in a data breach, accessed through the network of one of its subcontractors.

And that’s why I don’t want my face as my passport.

Funny how I was just reading another article about this this morning..


To me the real question is why is a subcontractor able to copy the entire database? Why wouldn't the government only allow limited access to the database to these contractors?

Fair compensation to those whose biometric information has been compromised should, at the very minimum, include free plastic surgery - in similar situations where social security numbers have been offered the government has provided new replacement social security numbers, so there is precedent. Seriously though, this highlights the danger of databases of biometric information, there's no way of remedying the damage because there's no credible way of altering one's personal biometric markers.

Or let this be proof that biometrics are a terrible way to verify someone's identity.

Where did the license plate information come from?

I would think it's from cameras at vehicle border crossings. You can see an example here: https://goo.gl/maps/GRAY5GVnAYLr7aSZ8

Not just land border crossings - there are also CBP-maintained checkpoints [1] within the '100-mile zone'.

[1]: https://goo.gl/maps/Nfk1XjUFGsNh5QD29

Ohh I see, okay thanks.

Just a guess, but maybe the CBP takes pictures of the license plate at land border crossings?

CBP does more than that.

They have a joint venture with DEA to have fairly comprehensive coverage of interstates. Also, private companies offer LPR services and sharing, not sure if this company did or if that database was breached.

if not pictures, i would say license plate numbers are at least recorded digitally inside of their report.

If they took a decent picture, then they could identify something that looks like the license plate and then use OCR to compute the number and store that.

I would like to know:

how many individuals and vehicles has been impacted?

anyway we can hold the agency and its contractors accountable for this issue?

> CBP requires that all contractors and service providers maintain appropriate data integrity

Requires, but how do they enforce it?

According to the report, CBP is passing the buck on this one.

They created policies that could be ignored. That’s on them. They shouldn’t be able to use their position to avoid accountability or to scapegoat their contractors (that they likely hired without due diligence).

Government agencies should never be seen as victims. They hold power and authority that nobody else can hope to enjoy. There is no higher power to hold them to account because the electorate had already been subverted to maintain their position. So they should not be protected from fucking up. In this context, God or the Lord is not a higher power, it is also a scapegoat.

With great power comes everybody else’s responsibility... said only by people in this century.

Edit: to follow this up, CBP is also the agency that sucks up all the data on your phone and laptop. They have treasure troves of license plates, passport photos, and titty and dick pics.

They cannot absolve themselves of liability when they are invading everybody’s privacy. If they say they don’t use the data, and they are acting out of ignorance, then that’s a solid case for not collecting it in the first place.

As it stands, the US needs a GDPR.

There’s a lot going on here, and I’m no fan of CBP but this is pretty much a low-grade by the book contractor failure here. They receive training on all of these things, and have gone through a lengthy award and due diligence process and then all it takes is one person thinking “hey I think I’ll take a sample dataset back to my Dev laptop to test things.” Could be a newbie or a senior - who knows, but it’s happened before.

Go after CBP for constitutionality of collection, for working outside of borders where they are legally not allowed to work, etc, but in this case I’d say let’s not blow things too out of proportion.

Remember when OMB lost hundreds of thousands of detailed compromising personal background check reports with all the identifying information including biometrics? This sounds like some port of entry data you could get with a camera in public.

Further: they are not absolving themselves. They are probably working their asses off right now to make sure this never happens again but somebody is going to pay for credit protection and insurance, and it should be the contractor that ignored their contract and all sensible security policy. So, there is is in the press release.

Lastly: I don’t think GDPR fixes this. Government (especially intel community and law enforcement) keeps the data as long as their record schedules allow.

Thankfully, laws about breaches required them to reveal this to us within a certain time. Privacy Officers have really hard jobs. To do them well is hard and thankless. Glad this one stuck to the law.

> There’s a lot going on here, and I’m no fan of CBP but this is pretty much a low-grade by the book contractor failure here.

Maybe government agencies shouldn't be allowed to contract out. And if they are, then they should be held ultimately responsible for their choice of contractors.

Non-military, executive branch headcount has remained relatively consistent in absolute numbers since the 1950s, believe it or not, at ~2 million, even though the budget has expanded enormously. Sources:

Historical table: https://www.opm.gov/policy-data-oversight/data-analysis-docu...

A concurrence in my assessment: https://www.nationalreview.com/2017/02/federal-government-gr... ("So, since 1960, federal spending, adjusted for inflation, has quintupled and federal undertakings have multiplied like dandelions, but the federal civilian workforce has expanded only negligibly, to approximately what it was when Dwight Eisenhower was elected in 1952." Note I'm not necessarily agreeing with the sentiments expressed elsewhere in that article.)

AFAIU for over half a century there's been something of a gentlemen's agreement in Congress among Democrats and Republicans that keeps the official headcount fixed while expanding government through contractors--the closest thing to a wide-spread "conspiracy" (tongue-in-cheek) I've ever seen. Of course, lobbyists and the contracting industry play a huge part in maintaining the system, but IMO that overlays the long-term political equilibrium reached in Congress.

One reason I finger Congress, and not lobbyists, as the principal supporters of the system is that Democrats would much rather have full-time federal employees, so they're clearly compromising. It's hard to say what Republicans want, but to many Republicans hiring contractors 1) squares limited government with electoral pressures to "do stuff" at the federal level, and 2) superficially provides better price signaling through competitive bidding (though if we're honest that's... complicated). Note how the numbers remain conspicuously stable across major domestic and international political shifts. It's fascinating.

State and local government workforces have ballooned, and a lot of federal expenditures are administered via state-based programs. But that doesn't conflict with the "conspiracy" noted above, it's arguably just a way for the Democrats and Republicans to jockey around it.

Indeed. CBP made the choice to subcontract w/o proper controls. It is still CBP's fault.

Given that the contractor violated the data handling rules in their contract, the only possible remedy is revocation of their facility security clearance, followed immediately by revocation of the personnel security clearances of everyone who claimed that these systems were operating in accordance with their SSPs.

I'd like to believe that this will happen, but I've seen plenty of cause for FSCs to be revoked and almost no FSC revocations.

And remunerations for all citizens that were affected in the form of cash payments.


Nah, Americans can be subject to their own laws, they were voted for. I'd go for remunerations for non-US citizens who had no choice in the matter (e.g. by being sent to the US for work.) Maybe see us as a bit more equal.

> made the choice to subcontract w/o proper controls

seems to have worked out very well for the army, and their contractors.

So well in fact, that a senator is on a campaign to pass legislation to specifically address the military case (leaving cases like the CBP which should be as obvious as from the get go, to be dealt individually too). The system is so broken in its lack of accountability that even well intentioned people are driven to insanity as the norm.

> They cannot absolve themselves of liability when they are invading everybody’s privacy.

This is incorrect. They can absolve themselves of liability an act with impunity.

You and I might not like that, but it is fact.

I accept it as fact insofar as it actually happens, and calling it a fact makes it immutable.

I think that giving the benefit of objectiveness makes it easier for them to continue down this path.

I’m shocked that there aren’t a bunch of public resignations. I’m also shocked that there aren’t more details - for example - let us know the scope of all the data that company had access to, so we can get an idea of the maximum exposure the public faces.

Government agencies should never be seen as victims.

That's a weird absolute, and that's before the side dish of theology and... Spiderman? You can be powerful or negligent or whatnot and still be a victim.

In this case, CBP is collecting this data without the direct consent of _the people_, so who in this case is accountable?

It's not _the people_ who made the decision to collect this data.

You can bear responsibility for something and still be a victim. It's really bizarre to suggest this is somehow not the case and to try to support that point with deities, comics and a call for GDPR legislation (for US federal agencies?). This kind of comment is the Markov chain with which threads are anchored to the bottom of the Abyss of Meaninglessness.

Great, maybe it can fine itself for the breach. And by that, meaning it can return my tax money to me.

It is clear from the tenor of some of the posts here that more of you need to work for some non-zero time in the government so you can have some empathy / appreciation here. They’re hiring.

The same org separating children from their families at the border in violation of a court order? Why would I take a pay cut to work for that mission?

I don’t fault the engineers in any case, it seems like their technical security wasn’t tested here; it was some kind of policy failure that lead to the information leaving government control. And that’s the problem, we don’t solve this with engineering, or empathy for engineers, we solve this by letting legislators know what we feel and know as members of the industry, through letters and the ballot box.

I meant government in general - not CBP. Without having worked in the federal space, it’s likely a lot of the context of this - policies, procurement, onboarding, security, etc is lost. Probably should have clarified and I deserve the downvotes. Agreed that CBP’s mission at the moment is a serious problem.

Can I sue them for negligence with my personal information under GDPR as a EU citizen?

Nobody saw this coming or warn about this...

It's not clear to me if the whole database was downloaded and leaked or just part of it. Anyone know?

> CBP’s networks were unaffected by the breach.

Why did citizens' private data leave CBP systems in the first place?


Same story that is also trending on the HN homepage right now... My comment from that story which is from (https://www.buzzfeednews.com/article/daveyalba/the-us-govern...):

Quote from the article: “There should never have been the ability to download a database like this off of government servers.”

Sorry that I don't have a ton of links to support this claim, but "believe me" (as our Commander-in-chief would say) that the US Government would cease to function if it were not for subcontractors (read, private companies) performing tasks on behalf of the government. Personally, I don't agree with this way of our government doing business, but that is the way it is.

When I was in college, I worked for an archeology lab, and our lab was the subcontractor, of the subcontractor, of the contractor that had contracted to provide a service to the USACE (US Army Corps of Engineers). And every way along the way, money was skimmed off of the top. It's just "the American way" of doing business.

People lament regulation all the time. I have a feeling the executives of Ingersoll Rand love it every time a new regulation is put into place.

Follow the money.

> Quote from the article: “There should never have been the ability to download a database like this off of government servers.”

I love when I read quotes like this that are so obviously written by non-tech people that have no idea what they're talking about.

As we at HN all know, if it exists digitally, it can - and will - be downloaded. End of story.

The government is never held accountable for mistakes they make. They are, in fact, too big to fail.

We detached this subthread from https://news.ycombinator.com/item?id=20151327 and marked it off-topic.

> The government is never held accountable for mistakes they make.

In a functioning democracy "they" is "us".

> In a functioning democracy "they" is "us".

That notion is generally not in keeping with the western common-law tradition, which holds a more skeptical view of governments which have the moral authority to operate within any domain and with any powers so long as they can connect those powers to the consent of the governed.

Instead, the tradition of the United States, for example, is that government power is limited and enumerated and does not change no matter what "us" may say about it in the form of political elections.

I suggest that you read (just an example) Federalist 10 by James Madison and consider how thoroughly these guys thought through the argument you are making about democracy and how hard they tried to make something better.

And none of this is to amount to founder worship: we can all see now that there was tremendous hypocrisy in founding a nation which didn't categorically prohibit slavery from the get-go. And in fact, slavery continues to this day in the form of a prison system that "us" has occasionally been happy to endorse, the rights of the incarcerated be damned.

All I'm saying is: don't tout democracy in such simplistic terms without also considering the arguments of its critics.

In one that is not too large to fail, I'd agree. We have a monolithic government that has been going away from "they" since the state restricted the size of the House of Representatives and have shifted more and more responsibility and power to the federal branch.

It's no different than the same moral hazard large corporations face that we empower through cronyism and the effects are obvious, notably events leading up to the great financial crisis in the late 2000s.

Large institutions not held accountable get to take outsized risks knowing they'll always be bailed out and not held accountable. This article is one of many examples of such.

Some endeavors carry significant risk but the rewards are also significant. The infrastructure doesn't have to be completely dismantled because one endeavor failed (however catastrophically). Why cause more pain than is necessary?

We don't necessarily have a functioning representative democracy, though - too much power is held by lobbyists, the fact that politicians can lie to the population, and the fact that our votes don't 1:1 elect officials due to gerrymandering and voter suppression.

Too much power is given to money and wealth. This has held true for thousands of years in Western civilisation (back in Ancient Greece, wealth was measured by output, the Pentekosiomedimnoi being the aristocrats).

The whole setup seems more and more like a grand cash grab.

It's actually mostly just pure laziness.


The Permanent Apportionment Act of 1929 was enacted because it was "too hard" for Congress to rezone/redistribute House of Representative members. This measure, and ones like it both in law and in business, create large bureaucratic organizations that move slowly and are prized for their stability, which is another word for "zero accountability or disruption."

Very few people set out to have growing inequality of resources or to amass power for the sake of doing it, though of course the people in power now seek to keep it for the sole reason of not wanting to lose it (they frame it as "too big to fail," "stability is important," and so forth).

It's just pure inertia. We went away from smaller regional governments that reports up to a lightly-empowered federal one with a lot of individual liberty step by step, for convenience and for "safety" (any number of military or police actions, foreign and domestic), and we get what we deserve.

Which highlights one of the flaws in a first past the post democracy. No reasonable voter is going to make this issue the single issue that flips them from a Republican to a Democrat or vice versa. The result is that both parties don't really care about it. If you had some type of ranked or proportional voting system, you could get a niche political party that actually makes things like this a priority.

> In a functioning democracy "they" is "us".

Leaving aside the question whether the US is a "functioning democracy"...

In a "functioning democracy", "they" is in fact very often not "us", by definition in fact, since every vote has winners and losers.

Plenty of stuff that I disagree with is electorally popular: unlimited police powers, extremely severe punishments for crimes, military intervention in foreign affairs, censoring of offensive speech, criminalization of victimless acts like drug use, cutting taxes, lack of restriction on CO2 emissions, and so on. I certainly don't define myself as part of any "we" that supports, or is implementing, any of that.

"The will of the whole Nation is expressed in the State" is an authoritarian idea, not a liberal democratic one.

We are living in a boring, yet somehow equally terrifying, dystopia.

Astonishing! I never thought for a moment this data would end up getting lifted !

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact