Hacker News new | past | comments | ask | show | jobs | submit login
A physical breach is a nightmare scenario for Capitol IT (twitter.com/jacobian)
316 points by rmason 9 days ago | hide | past | favorite | 167 comments

Another thread that I think offers some context a bit less 'scary' than this [1]. Most of the stuff the invaders could of had easy access to - eg in a Member's office - is not that important, consider what is leaked to the press strategically for politics every day.

I'd be more concerned about listening devices especially key committee Members and staff e.g. foreign relations LAs

I don't have firsthand knowledge of the non-classified working computers of Congress but maybe someone can confirm if IT used SolarWinds and their network is already compromised.

* also individual Member offices are treated basically like businesses in a lot of ways. e.g. the Member can contract/share hire their own IT helpers too. i can't find a source quickly but a few years ago remember the article about some guy working for a few Dems being a dumb ass

* * I'll also add that almost any US citizen can get a meeting inside a Member's office. A house member directly or with a staffer. I'm sure there are a ton of listening devices that metal detectors wouldn't find and that are quick to place surreptitiously


> almost any US citizen can get a meeting inside a Member's office

Indeed, most days you can just walk directly into any senator's or member's office. Maybe leadership has different rules, I haven't tested that, but I had no trouble strolling into Ron Wyden's office. So anything you can get through the building metal detectors (which really aren't very sensitive, they're just looking for weapons) you could take in and surreptitiously drop off.

I had no idea. I'd love to meet my reps, especially Wyden. They represent me so well I wouldn't really have anything to say, but it would still be a bucket list kinda thing.

You can walk into the office, but you won't get a meeting with Wyden if you aren't on the schedule. Instead, if you are a resident of the state, they'll have staff that will meet with you in a small conference room, take notes, maybe ask a few questions. These are typically fairly young intern types, so don't expect too much depth from them (in my experience, you're going to get some very naive questions if you bring up anything related to science/tech policy). They'll then tell you that you are being heard, thank you, and send you on your way. This is occasionally a useful thing to do, e.g. to bring attention to a niche issue, cause, or special interest that their office might not be aware of at all.

Definitely this. I would suggest you do some leg work to at least get in with a legislative assistant. The more prepared you are, the more you bring to the table, the more specific of an issue or ask, the more you will be 'heard' if you will.

Also most don't know your House Rep's office can help with way more than listening to complaints. They are very helpful. Case work, lots of student stuff (if you want to go to a military academy), maybe some grant stuff. But especially if you are having VA bureaucracy issues. There is budget for constituent services including Franking $ to reach out to their constituents. Members actually try here because it helps them win elections.

Wait, this is a thing that people actually do? I thought the "talk to your representative" thing Americans say was a polite way to tell people off.

It’s a thing in every democratic country – although usually, only few people actually use this, and those few tend to often be the rich.

If every now and then regular people would also use this right, we’d be able to change a lot.

Well, it certainly was a few decades ago when I was in my twenties. I was in Washington D.C. as tourist, walking around, seeing the sights. Having been educated in a typical U.S. public school of the time, I thought to myself, "Gee, as long as I'm here, I should visit my representative's office." The security situation was probably different then. I just wandered around the building, found his office, walked in, and announced myself as resident of his district. He wasn't physically there at the time, but I was welcomed and given a tour and chatted with a staffer.

I was nobody - just a kid - but I was voter.


An in-person meeting is the best way. If you figure that an e-mail is worth X, then a phone call is worth perhaps 100X, and an office visit is probably 10000X. Politicians do actually want to know what people care about, and the amount of work you do to get in touch definitely factors into how representative they think your opinion may be.

I've done it, but at my Representative's local offices back here, not in DC.

Talking to your representative is a basic civic duty.

Is there a way to follow up on the mentioned issues?

Make sure you write down the name of who you spoke to, and see if they'll give you their email address. Then you have way to follow up, either directly or by calling the office and saying you had spoken to so-and-so and wanted to follow up. Obviously the people you speak to can't promise much of anything, but if you bring up something that sounds important to them, they will do what they can to move it through the bureaucracy. Follow-ups can help keep it on the radar or make it more urgent. Obviously there are no fool-proof methods here (and congress is full of fools). And people don't like to say no, so you may need to read between the lines sometimes to figure out that they decided your requests were inconsistent with whatever political school of thought that representative subscribes to.

It's important to remember that nearly all of these offices are in other buildings across the street.

Yes, this is true. And they have practically no security compared to the Capitol. Though I have to say, once you get through the visitor center, the Capitol isn't really locked down very tightly, especially off-season.

One thing that's fun to do in DC, if you plan ahead, is get a White House tour. Sadly they don't let you see any of the west wing, but the rest is still pretty interesting, and the Secret Service agents are really cool. We had some really great conversations, they're extremely knowledgeable (and proud of it, too). I asked one of them how many steps he thought I could make it if I jumped the rope and headed for the staircase up to the residence, and he just chuckled. Funny thing is he'd probably not even bother tackling my fat ass, he'd just grab my arm and escort me out of the building. They were pretty proud of that, too -- the discipline they have and ability to use just enough force without going over the top. I was impressed with their professionalism. Not that it should be surprising, presidential protection is an elite detail.

I'm not so sure if it's less secure. Hart is the emergency space used on Wednesday. There's also way fewer entrances.

That's terrifying, knowing just how bad some of these people are with technology....

Yeah but how do you get your listening device to work over all the interference from the CIA listening devices?

> I'd be more concerned about listening devices especially key committee Members and staff e.g. foreign relations LAs

Or better yet, placing an annoyatron on key offices of members of the party you don't like.

Do those work on people over 70?

Is it though? I was having this discussion with a friend last night. If I were IT for the Capitol, I would already be operating under the assumption that all the clients are hostile.

There are constantly visitors to the Capitol, including foreign visitors who could easily be spies. Also, the Members themselves are often old, anti-tech, and not the kind of people who will remember to lock their screen when they get up. I would already assume Member computers are a huge attack vector, and act accordingly.

This person, who seems to have more intimate knowledge of capitol IT, also mimics the concern: https://twitter.com/neurovagrant/status/1346964347684179970

Here is why Foone thinks that “forgetting to lock the screen” is unlikely: https://mobile.twitter.com/Foone/status/1346924327996772354

Congress apparently doesn't use CACs, and the photo shown of the desktop shows no card reader to stick a card in.

The idea that a senior US Congressperson or Senator would have the same rules as some IT contractor is ludicrous.

Her password is probably password123 or some such nonsense too.

Security problems that begin with "the user had a weak password" are strictly the fault of IT nowadays. Every application and gateway should check password complexity and reject passwords on the top 1000 list. If password123 is allowed the IT director should be fired.

Password rejection rules are the primary cause of sticky notes with passwords under the keyboard/on the screen - and they are phishable, loggable, videoable and can be deduced from the keyboard click sounds.

2FA / 3FA is a minimum these days (and can be easier to use than a password)

Keyboard click sounds? I'm gonna need to see some kind of something for that. Sorry, it just sounds like something out of Eagle Eye, like that cup of coffee in that secure room the computer reads the waves on.

Standard rules for (Soviet) embassy staff during the cold war included writing secret documents with a pencil rather than a typewriter because the text might be deducible from the sound of the typing.

Of course the writing would also be done in a box suspended inside another room with white noise generators in the intermediate space, just in case the text might also be deducible from the sound of handwriting.

My source for that might be one of Viktor Suvorov's books.

Relevant Picture (from since deleted tweet - Interesting that the media is still accessible on twitter...)


I _believe_ this is where that picture originated from https://twitter.com/mikko/status/1346922681158000640?s=21

It almost looks like a photo that an employee themselves might take after being shown such an alert message.

> I would already be operating under the assumption that all the clients are hostile.

You can't operate assuming all computers in the Capitol are hostile. How are the members supposed to do work if their computers are assumed hostile? Why even give them computers then?

> I would already assume Member computers are a huge attack vector, and act accordingly.

What would "acting accordingly" look like for you in that example scenario you outlined.

You absolutely do assume that that network is hostile/compromised. There are a number of other networks in other places where more important communications are done. It's a giant PITA, and a lot of stuff leaks from Congress because most people believe that they are too important to have to keep things secure.

Being in Congress is not an automatic ticket to having all the country's secrets on your desktop, and things actually are compartmented quite heavily when necessary.

> Being in Congress is not an automatic ticket to having all the country's secrets on your desktop

I'm not suggesting that they have _all_ the country's secrets on their desktops, but surely the speaker of the house needs access to their emails on their desktop. Those are private, but without them, why even give the speaker a desktop at all?

The actual Members are in many ways, a bug of the system, and recent events have demonstrated that very clearly. Capitol IT probably puts them on a "Guest WiFi" and lets them surf Twitter without bothering anyone. The majority of the US government apparatus functions on a day-to-day basis without any input or functional oversight from anyone, and that is the so-called "Deep State" which in reality is the only reason anything works at all. Can you imagine the country if Donald Trump was functionally the CEO the way that Elon Musk is the CEO of Tesla?

They're going to have to rebuild from scratch anyway, this event has just made sure they do so.

Random visitors don't go into offices. They don't look into cupboards. They don't sit behind desk with computer.

I am a random nobody and I was able to waltz in to my congresswoman's office. Obviously I wasn't digging through the desk drawers, but it's not like I was closely observed while I waited for my congresswoman's secretary to get off her phone call

This is not similar to having 4 ours of unfettered access during a riot. They literally were digging in desk drawers, using the phone, leaving threats, carving hate speech into wooden doors, etc.

I once saw a citizen with a 6-shooter strapped to his hip at a Colorado county clerk's office peacefully fill out some paperwork for 5 minutes. What does this story tell us about what rioters did or didn't do while tearing up the capital building?

> I once saw a citizen with a 6-shooter strapped to his hip at a Colorado county clerk's office peacefully fill out some paperwork for 5 minutes. What does this story tell us about what rioters did or didn't do while tearing up the capital building?

1 minute of Googling tells me that Colorado is an open-carry state, and there is no specific exclusion for county offices, so unless this was in Denver or another municipality that prohibits open carry I don't see the relevance of your story to what happened in the Capitol.

That's his point. There's no comparison between entering the public part of an office during business hours and what happened yesterday.

But perhabs visitors like lobbyists, donors etc. could be often alone long enough with a computer to something bad. And don't forget all the viruses that tweet porn links.

I'm sure it happens. According to what I've seen on TV, all you need to do is stick a thumb drive in a laptop and utter the magic incantation "OK, I'm in" and you can either download the entire content of the network or implant a virus in the time it takes for someone to come back into the room.

Unlikely, given that it does not happen in commercial companies either and there no one particularly has reason to care.

Private companies are compromised by visitors every single day. Outsiders on-premise are one of the largest attack vectors after insiders.

This is why both the local network and endpoints are no longer trusted in security models.

How about staffers working for members from the other party? Yes, you'd expect a "gentlemen's agreement" not to do such things. You might not be wise to trust it, though...

I doubt there is anything like gentlemens agreement last 8 year's. Everyone was aware it is sociopaths run the place.

So I think other party stsffers are not trusted to be left alone.

"You will go to jail forever" and "You will be completely unemployable forever" are still two surprisingly effective deterrents against the vast majority of the population when they have a job.

There's lots of stuff you "could" do everyday, but the probability of getting caught is high, the ultimate impact to anyone else is low, and the severity of punishment immense.

All that changes quite significantly when even basic access control is lost and the building is overrun by unidentified belligerents for a few hours. I'm betting a number of foreign intelligence agencies were scrambling to see if they could take advantage usefully.

There's no "unemployable" for political crimes. It makes you more employable by the side you did the crimes to help.

And yet you still have to assume they might.

Authorized individuals have classified documents on Capitol hill computers, there have been many options available to support breaching a workstation given physical access for years.

In this event you don't even know if such authorized persons had time to lock their computers.

The author of the Twitter thread links to another thread towards the end that notes the risk of a classified information breach isn't too high.


Obviously that doesn't change the fact that the entire building should be considered compromised and scrubbed.

The last 5+ years of leaks from politicians should have taught us that something doesn't need to be classified to be highly damaging to both the individual and the nation.

Is it just me, or do some people have a fetish for catastrophe?

Greatly overestimating security impacts, the impacts of COVID, aggressive "new normal" lockdown proponents, militant preppers, etc.

Paradoxically, I think some might feel more secure when they are the messengers of chaos. I wonder if there's a psychological reasoning underneath.

I would counter and say that those who reacted most fervently to COVID were the quickest to recover and those who were most blasé and dismissive are paying the price. New Zealand went immediately to stage 4 “where you sleep tonight is where you must stay” and their efforts have been admired.

> I wonder if there's a psychological reasoning underneath.


A safe, regulated, mechanically functioning society day after day is boring as hell†. Catastrophe is one of the easiest changes to imagine and fantasize about. Which is probably also why dystopian cyberpunk is more popular than utopian sci-fi.

† If you don't get enough leisure time or have enough activities to fill it with.

I think what's truly missing is purpose and community, not leisure time although you may have left that implied.

Many want their life to be special, to be part of something bigger. Modern life can lack a sense of purpose and community, so even with infinite entertainment at our fingertips we still yearn for something deeper. Like you said, conspiracy or chaos can fill those desires. You get to be part of an "in-group" and be part of something bigger. Life just gets a bit more dramatic and interesting. Probably why cults can exist at all as well.

I used to wonder how anyone could be stupid enough to fall in with a cult, but after living a traditional modern 9-5 for a while I can totally see the hole that was missing that a cult, religion, conspiracy or commune would fill.

Humans are special because of our ability to forecast and run scenarios. You can "practice" dangerous situations in your mind -- a great tool to mitigate them if they arise!

This can go to an extreme, of course. People seek security by modeling everything, playing it all out, and trying to prevent bad things from happening.

It's normal human behavior that is supercharged by modern information overload.

> Is it just me, or do some people have a fetish for catastrophe?

Historically, having such fetish is what helped to prevent catastrophes.

The one person who almost got into an area where they really didn't want people was shot dead. This guy's acting like the rioters breached a SCIF or something. The Capitol building is (was, normally) open to the public.

Multiple computers belonging to congressmen/their aides have been reported accessed or stolen (https://thehill.com/homenews/senate/533162-merkley-says-capi...). Someone posted a picture of Nancy Pelosi's email client, stole mail and left a threatening note in her office. Other private chambers were vandalized (https://twitter.com/SenJeffMerkley/status/134703950452849868...). Can anyone really confirm that there were zero foreign agents among the thousands of rioters who accessed the building? Let's not pretend what happened was normal.

In that picture (1) it's actually an aid's computer that is unlocked. No chance Pelosi shares an office with someone six feet across from her.


The vandalized office you linked is... weird. Judging by the dirt on the carpet a sizeable horde stampeded through the office, some of them stayed long enough to put cigarettes out on a picture frame or something, and yet the destruction seems pretty limited.

I would have expected way worse, including fires.

It's not dirt, it's shit. The insurrectionists smeared shit around the Capitol buildings.

Using the term, insurrection, to describe what happened yesterday is belligerently misrepresenting what happened. If the protests over the last year were mostly peaceful, then Jan 6 really was the most peaceful of them all. I was there, we had more then enough people to mount a serious insurrection. From what I could see, the members of the protest were used by some anarchist group to commit a BNE. Most, IE, 99.9% of the protestors were not involved in the BNE, and a significant portion of the protestors were fighting back against the anarchists.

The media is not telling the truth about what happened.

No, insurrection is pretty accurate. They attempted sedition, and these people breaking in are domestic terrorists. Clear as day.

Just saying it over and over again doesnt make it any more real.

They delayed and tried to overturn a constitutionally necessary process of democracy with their violent intimidation. What is that of you have a better word for it than terrorism and insurrection.

What happened meets the dictionary definition of an insurrection completely. It did not appear to be an armed insurrection or an attempted coup, would be difficult to file under terrorism, and sedition will be very challenging to prove, but "insurrection" is definitely the correct term to describe what happened.

> would be difficult to file under terrorism

"Terrorism: the unlawful use of violence and intimidation, especially against civilians, in the pursuit of political aims."

I dunno man, the attackers had flashbangs, zip ties, molotovs... If the building had to be evacuated, then I'd say it counts as intimidation. It was certainly in pursuit of political aims.

I think this counts.

I wasn't there, but the images I've seen don't seem to demonstrate much violence and very little intimidation on the part of the insurrectionists. I see a lot images of people wandering around inside the building taking selfies and acting like tourists (albiet often poorly-behaved ones going places they shouldn't). In hindsight the evacuation was probably overkill but I acknowledge it was probably the best reaction to a clear and present danger.

Like I say, it would be difficult to file under terrorism. You're welcome to try.

I think it's an interesting discussion topic.

The people showed up with molotovs, flashbangs, and zipties. That's intent to intimidate, even if the residents managed to get evacuated before we could prove that they weren't just comfort props from people who were merely cosplaying as terrorists.

Here's a copy/paste legal definition where I removed a lot of extraneous examples:

> Under federal law, the activity or attempted actions which could fall under terrorism charges include:

> government official kidnapping;

> arson or bombing property;

> use of explosives;

> attacking a federal facility;

> conspiracy to murder, kidnap, or maim;

> take a hostage;

> bombing public places;

I mean, they brought molotovs and bombs. And zipties. I'd say an attempt was made.

Then of course there's the fact that one of them murdered a cop by bashing his head with a fire extinguisher.

Not siding which way on the terrorism debate, but have to comment on the:

> the images I've seen don't seem to demonstrate much violence and very little intimidation on the part of the insurrectionists

And say you must not have watched any of the videos then.

Here's one example: https://apple.news/AZER7Cgj_RceFCKp74T_oDw

They were armed with spears, guns, pipe bombs, and zip ties (for kidnapping/disabling people)

Trump supporters think that was a protest in the same way they think Donald Trump is a successful business man.

Not normal, not good. Will cause issues for sure. But those computers did not have access to classified information.

There are lots of things to be concerned about besides classified information - such as emails and personal files of congress members and staffers - but even further it's not just what you can get off of the computer, it's what you can put on it.

> such as emails and personal files of congress members and staffers

All of which is not of national security concern and most of which is already subject to public access via foia

Can I get a senator's passwords to Facebook and Twitter from a FOIA? no? Ok, what about a key logger on his/her staff computer?

I'm sure Windows Defender will take care of that!

Ignoring the potential for harvesting credentials and then abusing reused creds, the ability to send emails from a congressional email account is a disaster in and of itself. Imagine if someone sent out an email from Nancy Pelosi's email account validating Q Anon theories for example. Good luck ever walking that back.

> But those computers did not have access to classified information.

Got a source for that? You really think a sitting Senator's laptop has zero useful data for a foreign government, or even the opposition party? Heck his browser history or synced texts could have enough blackmail material.

Useful data != Secret/TS data. If there is any Secret/TS data on these systems, there's already been a security breach and yesterday wasn't special. Unclassified systems are often assumed unsafe/breached to begin with.

I don't disagree, however... human beings can be lazy, short-sighted or take short-cuts. I wouldn't put it past someone to keep something where it shouldn't be, intentionally or by accident.

I don’t think you understand how difficult it would be to get classified information on your unclassified laptop and there isn’t a chance in hell you could do it by accident

You write an email that references something you read in a classified briefing?

Nancy Pelosi is part of the Gang of Eight - https://en.wikipedia.org/wiki/Gang_of_Eight_(intelligence) which is briefed on National Security matters by the Executive Branch (this is top secret, special forces operations style stuff).

That's actually how a lot of real-world classified data leak incidents happen. Either someone records a classified fact/detail on an unclassified system through carelessness or lack of caution, or compiles a set of facts that are (in aggregate) classified but individually unclassified.

The latter can be particularly pernicious as it's hard to know the aggregate classification. I may be able to say in separate contexts "The XF-42 is capable of exceeding 1200 nautical miles per hour" and "The XF-42 is capable of flying in excess of 60k feet" but placing the two facts together can actually be classified (in practice, usually more than two details).

This seems nonsensical -- why are the sum of the parts more classified than the individual?

If I put together a long list of facts about the XF-42, it's classified, but if I separate each item onto a different page and tell someone else how to recompile the information (eg page numbers), it's fine?

I can't imagine a scenario where this model makes sense -- ignoring absurdities like classifying basic facts (sky is blue) and words (help) due to cascading classification.

It seems to me the rule should be that of poisoning -- any information in a document with classification X poisons the rest of the document to the same classification; or rather, a document classification is the maximum of its children

My example probably wasn't the best as too much is already given away. It's more like this:

- We have a manned aircraft

- We have an aircraft that can travel above 60k feet

- We have an aircraft that can sustain or exceed Mach 8 (EDIT: strike this part as it connects two facts already: "at that altitude")

- We have an aircraft called the XF-42

- We have an aircraft based in Middle-Of-Nowhere, AZ

- We have 10 operational aircraft of some specific type

Any one (EDIT: or all) of those details may be unclassified, but as you start pairing them up classified information can be derived from it. Note that in this, somewhat better, example only one item identifies the aircraft (rather than my initial example in which both items identified it).

Publicly it may be known that an XF-42 exists, even where it's based, and that there are only 10. Publicly it may be known that an aircraft exists which is manned, travels above 60k feet and over Mach 8. But the two sets of data may not be joined in public because that would give more information than desired (in particular, that there are only 10 indicates a limit on the capability of the mystery superfast and high altitude aircraft).

EDIT: Regarding some of your other comments.

If I spread the information out and tell you how to reconstitute it so you can make a cohesive whole, I've just obfuscated the classified information which is the same as leaking it straight up.

Regarding "poisoning", this is how it's done. If you have a document with TS data, the document is TS even if it's a single line item surrounded by unclassified data.

Fact A and Fact B are unclassified for the XF-42. But combining Fact A and Fact B implies Fact C, which is classified. Separating each item on a different page wouldn't make the whole thing unclassified. It'd make the entire report classified. One of the facts, if not both of them, would likely be controlled information, even if unclassified, in order to reduce the likelyhood of Fact C leaking.

Example: the XF-42 has a jammer builtin. The output of the jammer is classified. But the amount of power available from the generator is unclassified, as is the percentage of power used by the jammer. Individually, either of those facts doesn't help, but together they tell you how much power the jammer has, which can help our adversaries figure out how much power they need to burn through the jamming.

That said, if any fact is classified, that by itself will make the document it's in at least that classification.

EDIT: to use your poisoning example. If it's a poison, it makes the entire thing poisoned. But there are binary poisons. Two things together make a poison, even if neither alone is (very) poisonous.

I’ve never seen exactly what they are talking about but what they may be getting at is actually information compartmentalization - group A can know fact A and group B can know fact B but neither group can know AB. Some higher up official can know AB but must keep those facts separated in documentation because they may share portions with the groups. Having said that - both A and B are classified. You can’t have unclassified compartmentalized info.

Just wondering as I have no special knowledge, but suppose I am a senator and I receive a number of classified briefings on a particular issue.

Could I use Outlook to take some notes on my thoughts on that issue? Say as a draft e-mail? I don't think there would be anything technical to stop me, and it's not going to set off any automatic exfiltration flags.

But those notes could very well need to be classified. Does everyone in the Capitol with access to classified material have the necessary skills and incentives not to make notes about them on their personal computer?

If you are receiving a classified briefing you cannot be on a machine that has internet access - the briefing would be in a secured area with no personal devices and the only machines in that area are airgapped (and they are airgapped forever, no switching back and forth).

You could of course write stuff down afterwards in an unsecure place but that is day 1 essential huge fucking deal no no. You don’t even discuss classified info outside a secure area, not in your public office not in the outback not ever. That doesn’t mean people don’t do it but when they do and it is found out it is a really big deal. Accidents do happen and there are protocols in place to deal with them when they occur. 99.9% of these leaks are extremely mundane low tier classification and are due to document misclassification etc. Sometimes the name of a project is classified and is leaked by reference etc but when it comes to actual important stuff people are quite competent at keeping that in secure areas.

Though of course all those rules are subject to Trump's Law: "When you are a star they let you do it".

A random member of the military or the administration would go to jail for a long time, a senator especially from the same party as the president would get away with it with impunity.

>Does everyone in the Capitol with access to classified material have the necessary skills and incentives not to make notes about them on their personal computer?

Access to classified information comes with training on properly handing classified information.

Mishandling classified information is a crime if you have a security clearance

I know a lot of people who worked for members of Congress and a few who do now. Computers sitting on desks in regular Congressional offices do not have access to classified materials. Most members of Congress or their staff do not have access to classified material at all.

There is a lot of private information on those computers, though, and the biggest risks there are the use of that info to harass staff and/or manipulation of it to feed conspiracy theories (see: Pizzagate).

Blackmail material is extremely unlikely since these are all government computers and everyone who works there knows they are subject to oversight.

There's a difference between the personal data you mentioned, which is on all of our computers, and actual classified information.

You'd have to reimage all those computers for sure.

This is something that surprises me about the whole thing. Wouldn't the chambers full of Very Important People who are presumably targets of many an angry/deranged person be among those highly sensitive areas? When I heard that these people were breaking down barriers and potentially storming the Capitol building, I thought surely they would stop as soon as they foolishly approached the chambers and started getting shot dead. When I was so much as standing across the street from the White House, where all the protesters hang out, I assumed I basically had a red dot on my head, so I should be careful what I do.

They are representatives to people and basically shake hands and kiss babies for a living. They can’t be isolated.

Obviously, the security services stood back and had high level direction to do nothing. They left a few capitol police flapping in the breeze and the cavalry (national guard, other law enforcement) never showed up.

I work near a VA hospital, and a few years ago a deranged man was running around the grounds with a machete and what looked to be a rifle. They activated their protocol and within 10 minutes mutual aid (Federal Protective Service police, State Troopers, local PD were on site.

That didn’t happen. I hope Biden purges the top layers of career management in those police agencies as well as the commanders of the National Guard. They failed the nation.

The leadership of the police agencies involved should absolutely be investigated.

The National Guard, on the other hand, you seem to be misinformed about its status. Most of us work regular ass jobs full time just like everyone else here and we're lucky to get 1/3 of our unit strength to report within a few hours. Plenty of service members don't even live in the same state where they are in the Guard, especially on the East Coast. Then it takes time to make a plan, organize, issue equipment, load/prep vehicles, and roll out.

Finally, NG commanders can't just choose to deploy somewhere on their own because there's an emergency. It has to be authorized by the state governor. I don't know how it works exactly for DC though. The Secretary of the Army was part of a press briefing Wednesday announcing NG deployment, but the NGs for the 50 states aren't part of the Department of the Army, but rather the states and the National Guard Bureau until mobilized under Title 10 authority (not a drop of the hat thing). Maybe the DC Guard is under some direct Executive Branch control which in this case would be bad news, because look who was more than happy to have the Capitol overrun.

I’m talking about the people at the top, not the guardsmen, who were activated iirc.

There are credible reports of a vacuum in terms of communication or response from the pentagon guard brass. Seems unusual that you have a insurrection at the Capitol and the governor of New Jersey is activating people, sending State Troopers, and trying in vain to reach someone in the Pentagon.

I think we are interpreting the term "Commanders" differently then. (Speaking about the Army NG) we have Commanders (who exercise command authority) at every level all the way from Company (60 to 300 soldiers) up to Division (10K to 15K soldiers).

The difference is the Governor of New Jersey directly controls the NJ National Guard. I have no doubt there was confusion about activating the DC Guard, as your sibling reply points out, the President is the Commander in Chief of the DC Guard. However, I doubt the Adjutant General of the DC Guard reports directly to the President, so for sure there was confusion in whatever layers of bureaucracy there are, and of course, the President wasn't exactly helpful in responding to the situation quickly or at all.

It's worth also pointing out that a big issue with National Guard mobilizations is funding. Since service members aren't on salary like the active component, then there has to be money set aside to pay SMs for their activation, someone has to decide which pot of money it's going to come from, authorize its use, etc, etc. It takes time.

In the case of DC (since Posse Comitatus doesn't apply), the capital would be better off having troops from the active component to draw on for emergencies.

> Maybe the DC Guard is under some direct Executive Branch control

Indeed it is. Since DC has no governor, the US president is the CINC of the DC National Guard.

Hence it is particularly damning that while the DCNG was activated two days in advance as the terrorist threat to DC became evident, the White House did not give the go-ahead for them to come to the aid of the Capitol Police.

Apparently this permission eventually came late in the day after events were already under control, reportedly conveyed by the Pentagon on orders of Pence rather than Trump.

That story is inaccurate speculation - it is not possible for the VP to issue orders to the military in any scenario unless the President is dead or has been removed from office. The military would disregard any such orders.

Secdef could issue those orders in POTUS’ name, he likely has the delegated authority to do so, but the VP is not in the chain of command and has no authority.

> The one person who almost got into an area where they really didn't want people was shot dead.

Wait, what is the context on this? I saw the footage once before I knew she died. It honestly looked like law enforcement with guns coming up the stairs, and it looked like a crowd of people, not a woman acting alone. What area of the building was that that was extra-sensitive?

EDIT: I see now, other angles are easy to find. Trying to climb through a blockaded entry point as guns were already pointed at her...

It was at the locked corridor barrier to the Speakers Lobby which adjoins the House Chamber. Rumors that Pence was there and it was Secret Service haven't been confirmed; he had been in the Senate chamber and Secret Service had evacuated him, so it's unlikely he would end up on the House side in a poorly secured area. News reports indicate it was simply Capitol Police, possibly someone associated with the House Sgt at Arms since they have an office somewhere around there.

I guess the woman, despite being a veteran (Air Force... why is it the Air Force has so many crazy people?), was so caught up in LARPing that she couldn't rationally evaluate that this was the last meaningful barrier to the House chamber and they might have more liberal rules of engagement or someone might panic and overstep their RoE to prevent an unauthorized mob from entering. If she'd climbed through, she could have opened the door to the mob.

On the other hand, I can see the argument that shooting her was an absurd overreaction. There were armed capitol police who had just come up the stairs behind her and that group of protesters, and they were doing nothing. The news reports that the justification for the shooting was that she might have been armed, but if that's really their rationale, it's a bad one. They should have retreated to the main chamber, because they weren't in a good tactical position, trying to defend a barrier with windows large enough for people to climb through. In addition, no such resistance was offered on the Senate side. When you're outnumbered that badly, unless you have special training like the Secret Service would, and plenty of ammo, you're not going to accomplish anything by shooting anyone, unless they are overtly threatening people such that you think you're going to die or be taken captive anyway.

I don't think Capitol Police are legally at fault in any way for her death, but I think they did the wrong thing there.

I'm hesitant to speculate too much before there's been an investigation, but I believe the shooting took place when there were still a number of congresspeople in the gallery of the house chamber, and she appeared to have a large backpack on that obviously didn't go through security screening.

I can imagine the Capitol Police being worried that something very bad could happen if she was allowed to breach the barrier and run into the chamber.

According to that huffpost reporter, they were still in the chambers at that moment, and the shooting was less than 20 feet away.

The video footage from inside the chambers at the time of the shooting showed people were still in chambers, mostly up in the second floor gallery, but a few on the floor.

I don't have a good phrase for people that willfully chose to believe something deranged. But believing that plainclothes security is going to let a mob get their hands on a congressman, that's it.

I agree with you, these folks charging through the Capital and expecting to get away with it were completely deranged.

She was carrying a backpack and attempting to breach a security perimeter.

It’s a good shoot pretty much no matter what else at that point. The police officer can reasonably defend that perimeter with deadly force.

Regrettable that it came to that, no one wants to see anyone due, but if you don’t want to get shot don’t go to a riot.

not sure the office computers are typically accessible to public

now they gonna check everything for possible keyloggers or whatnot

and theres no way of knowing if any computer was left unlocked and might have had something installed on it

At least one protestor claimed he found an unlocked computer. Up to others to verify if that claim is accurate.


Windows-L is the keyboard command to lock on Windows. I strike it by habit every time I get up from my chair.

He can explain it himself when he's trying to bargain a shorter prison sentence with prosecutors.

Super-L is the keyboard command to lock on Gnome. The super key is called the windows key on Windows :-)

Best way I found is to set a "hot corner" that will lock the computer once the cursor is moved there

Easier than typing a key combination

I had that at one point, but on Windows, with a high resolution screen and maximized windows there are too many useful operations dangerously close to every corner.

Some folks at my office have ID cards that need to be inserted to operate the computer (it locks when the card is removed from the reader). The smart ones have attached the card to their belt so that when they walk away, the card goes with them and the computer locks.

"Hi Representative Foo, I have a presentation on the USB stick here I'd like to show you, mind if I plug it in?"

"I just need to download the presentation from my website, can I use your computer real quick?"

Do you really think an 80 year old anti-tech representative would even consider that a problem?

I'd have to assume the computers are already protected from that attack vector.

Edit: I'm getting a lot of downvotes without replies, which makes me thing people don't agree with this. I wonder, how many have actually worked in corporate IT security for a non-tech company with older employees? Because things like this definitely happen on a daily basis.

Case in point: Pelosi's screen was unlocked when that guy sat down, which was at least 20 minutes after she left. That means that not only does she not lock her screen when she gets up, but the screen saver doesn't even auto-lock after 20 minutes.

Forget older employees, just employees. And I've seen enough poor security practices by 20 somethings at tech firms to have any faith in any user. Favourite example I've seen in several companies including one doing extremely sensitive work - senior devs with root access to the jewels of the kingdom doing pair programming on their own machines with interviewees / interns / new staff and leaving the computer unattended and unlocked to pop to the loo, grab a coffee, or let the junior work something out on their own.

its nice of you to assume the tech staff on the hill are any younger than 80yo reps themselves

i worked for a long while in various near-it jobs before transitioning to my current position in cyber /devops

i am quite sure that non-technical office security is crap under the best of circumstances

and that before a bunch of yahoos start rampaging around it

at least the employees know they are being tracked and easy to find ,pass security clearance and probably are not the dumbest of people

whereas Trump lot were obviously idiots,and under an impression they would not be persecuted

i dont see why some foreign actor couldnt pay one or more of them to install something or other

There's at least one photo of the screen of an unlocked laptop, with a security warning popup in the corner suggesting evacuation.

Yep, the important rooms would not accidentally be left accessible, even in a situation like what happened yesterday.


In the video I saw of the person who got shot, it looked like she was climbing into a room that already had both police and other rioters inside - is that incorrect? I’ve also seen pictures of people inside Pelosi’s office, including on her unlocked computer with emails displayed (albeit I assume these weren’t confidential - the only one mentioned was about the security breach).

> The one person who almost got into an area where they really didn't want people was shot dead.

The videos showing her get shot had several police in the area and they never looked like they were very interested in protecting that area before she was shot.

Difference between the Secret Service and Capitol PD.

Last I heard, it still had not been determined who shot her. What makes you think the Secret Service was involved? They don't typically protect Congress.

The guy that shot her was wearing a suit without any clear badging. This looks like Secret Service who may have been on VP Pence detail.

[Viewer discretion advised]





Secret Service protect high-profile Congressmen and Senators. For example: Former first-ladies, presidential candidates, and others as appropriate. Hillary Clinton, for example, had an entourage of secret service agents wherever she went, including in the Capitol. Same with Obama leading up to the election.

TLDR: It's likely there are secret service members in the Captiol at any given time.

It does seem to have been a plainclothes USCP officer per new reporting. I had read possibly erroneous reports that he was part of Pence's detail.

Maybe someone can answer this for me:

having worked for the US gvt, though not in legislature or dept of state, PIV cards were always required to access a gvt machine, and leaving your PIV inserted while absent from the room was, in theory, a serious offense.

Are congress critters and others not required to use ID cards when accessing gvt networks?

Different agencies have different IT systems at the federal level. The PIV cards used by the DOD and some other departments are not universal within the executive branch, and the legislative and judicial branches manage their own IT systems (sometimes still managing it locally rather than having any kind of centralized system). Government IT is very much a set of feudal territories still and many of them are not well or consistently managed.

The rules for the executive branch are fairly rigorous. The legislative branch, not so much. There's a huge difference in scale: the executive branch employs some 4 million folks, the legislative branch just 35K.

Just the picture of Pelosi's desktop indicates there's no automatic screenlock, which is a fairly low bar as controls go.

It wasn't Pelosi's desktop, it was her scheduling assistant's. You can clearly see his name on the Outlook inbox.

Not that it's much better, but it is still an important clarification.

My understanding is that each legislator is like an independent client and is able to run basically whatever IT they want as far as the unclassified (yet still sensitive of course) stuff goes. Given that, I'm betting the shared IT group is basically just recommending best practices and hoping people are listening.

What wag decided on that acronym that exactly overlaps a far more prurient one?

I'm not sure you can say no to senator who wants stuff changed?

Access to the Capitol isn't very restricted. People who are handling top secret information know that very well; that said, plenty of personally compromising information can usually be found on any given personal computer.

Obviously all computers left around in offices should be considered unsafe. Confidential information may have been leaked.

But Capitol has SCIF's for storing top secret information and committee meetings that deal with classified information. You can't bring your own laptops or even phones to them.

This is a nightmare no doubt, but the IT security angle is so far down the list of concerns it's not even visible. If every machine, piece of infrastructure and password has to be changed, every log audited by a hundred people for a year?

Tiny damage in comparison in context.

I am reminded of Watergate, which I think a lot of people don't realize was about planting wiretaps in the Democratic National Committee headquarters. It led to Nixon's resignation and it has left us with a legacy of adding "-gate" onto the end of all kinds of things (a la "GamerGate").

As a child, I knew Watergate was a scandal that impacted the presidency. I think I was an adult before I learned it involved wiretapping. I remember being rather surprised to learn some of the details as an adult.


I've seen a lot of this kind of concern, but people should keep in mind that the capitol is already a semi-public space, and is treated as such. The devices I'd really worry about if they were compromised are people's personal phones, which presumably they had on their person.

A note for context: a friend of mine who works in the capitol brought me along one day and asked me to wait in the minority leader's antechamber (a large room like a hotel conference room) for a few minutes while a vote was called. There were various bits of CAT-5 sticking out of the wall and I was unsupervised for nearly a half hour. Various people came and went and paid me no heed. I can't imagine I'm the first or last person to have been in that situation.

TL;DR special secure facilities exist for a reason. The Capitol is used to randos.

This is a tad ironic. It's like backhandedly saying "we're so great that foreign nations wouldn't miss a chance to spy on us" but at the same time this great nation allowed its Capitol building to be ravished by a group of citizens. There are infinitely bigger concerns about this event than what this thread presents.

I’d assume they were already bugged. Also, whose to say all of the new equipment they replace it with won’t be bugged?

And why do they even need offices in the capitol building at this point? Everything could be done online.

I think the thread model is a bit off, in that all the "real secrets" are sadly with the executive branch.

However, if congress can learn a bit about the pitfalls of commonplace devices, that would be nice.

Are there security cameras? If so (assuming footage wasn't tampered with), then you can maybe narrow down the locations where people actually did have physical access.

They need to toss everything and start again. Safer, and probably faster. But I expect they'll just turn back on and resume using everything not ruined by piss.

The previous non-violent protests over the last few years that took place in the Capitol also had protesters present in all of the same places, including the chambers.

As such this is not a new situation, but it's interesting that devious motives are attributed when the protester has a particular set of politics, or because they were successful in breaking past security whereas previous protesters attempted and failed.

They can't sign emails without PKI right?

Officially yes, but the use of S/MIME signed email in the federal government is minimal/non-existent beyond a few instances.

Not exactly true I've worked for several very large agencies that use encrypted and/or signed email extensively

Hey! They used it on The X-Files. I've got proof. (Joke)

Doesn’t the Capitol have those controlled access rooms that Congress had to use to access evidence concerning Trump’s impeachment (I forget the exact name of the rooms)?

Given that Congress was recently sworn in, there probably was nothing just lying around, but that is the sort of physical evidence that would be especially sensitive and embarrassing to leak.


Seriously? You are really asking the government to disappear people?

Just do the trial and sentencing in a manner as obscure as possible to avoid any publicity because it will only add to the hype.

I think we are fast approaching the point where the whole concept of "society" will have to be abandoned...

Heaven forbid someone front runs the trades of Congress.

Does anybody remember when Bradley/Chelsea Manning released ~hundreds of thousands of classified diplomatic cables? I seem to remember that most of the tech world at the time thought that was awesome. I wonder why this time they're clutching pearls about how scary and terrible this could be.

> I wonder why this time they're clutching pearls about how scary and terrible this could be.

Most of the readers here know quite a few things about system administration and/or IT security. As I read this thread, most comments only discuss the IT security implication or express sympathy for the poor souls that will need to clean up this mess; there's hardly any discussion about the morality of possible leaks.

Four 5seconds until their contents was clear.

It was initally assumed to be a leak on moral grounds. And ended up just putting a lot of people in danger, and disrupting international diplomacy.

I dont think many who know the details support the leak.

No human was physically harmed as a result of Manning's leaks. If there had been, such a person would have been mourned in the USA war media for months.

Your recollection does not comport with my own. A lot of sensitive classified information was leaked, a good deal of it having nothing to do with warrant-less wire-tapping, etc.

Since you're bringing up Manning but not mentioning Snowden, and also helpfully dead naming her in case we were confused, we can assume you're not bringing this up in good faith but as a slanted whataboutism.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact