I'd be more concerned about listening devices especially key committee Members and staff e.g. foreign relations LAs
I don't have firsthand knowledge of the non-classified working computers of Congress but maybe someone can confirm if IT used SolarWinds and their network is already compromised.
* also individual Member offices are treated basically like businesses in a lot of ways. e.g. the Member can contract/share hire their own IT helpers too. i can't find a source quickly but a few years ago remember the article about some guy working for a few Dems being a dumb ass
* * I'll also add that almost any US citizen can get a meeting inside a Member's office. A house member directly or with a staffer. I'm sure there are a ton of listening devices that metal detectors wouldn't find and that are quick to place surreptitiously
Indeed, most days you can just walk directly into any senator's or member's office. Maybe leadership has different rules, I haven't tested that, but I had no trouble strolling into Ron Wyden's office. So anything you can get through the building metal detectors (which really aren't very sensitive, they're just looking for weapons) you could take in and surreptitiously drop off.
Also most don't know your House Rep's office can help with way more than listening to complaints. They are very helpful. Case work, lots of student stuff (if you want to go to a military academy), maybe some grant stuff. But especially if you are having VA bureaucracy issues. There is budget for constituent services including Franking $ to reach out to their constituents. Members actually try here because it helps them win elections.
If every now and then regular people would also use this right, we’d be able to change a lot.
I was nobody - just a kid - but I was voter.
An in-person meeting is the best way. If you figure that an e-mail is worth X, then a phone call is worth perhaps 100X, and an office visit is probably 10000X. Politicians do actually want to know what people care about, and the amount of work you do to get in touch definitely factors into how representative they think your opinion may be.
One thing that's fun to do in DC, if you plan ahead, is get a White House tour. Sadly they don't let you see any of the west wing, but the rest is still pretty interesting, and the Secret Service agents are really cool. We had some really great conversations, they're extremely knowledgeable (and proud of it, too). I asked one of them how many steps he thought I could make it if I jumped the rope and headed for the staircase up to the residence, and he just chuckled. Funny thing is he'd probably not even bother tackling my fat ass, he'd just grab my arm and escort me out of the building. They were pretty proud of that, too -- the discipline they have and ability to use just enough force without going over the top. I was impressed with their professionalism. Not that it should be surprising, presidential protection is an elite detail.
Or better yet, placing an annoyatron on key offices of members of the party you don't like.
There are constantly visitors to the Capitol, including foreign visitors who could easily be spies. Also, the Members themselves are often old, anti-tech, and not the kind of people who will remember to lock their screen when they get up. I would already assume Member computers are a huge attack vector, and act accordingly.
Her password is probably password123 or some such nonsense too.
2FA / 3FA is a minimum these days (and can be easier to use than a password)
Of course the writing would also be done in a box suspended inside another room with white noise generators in the intermediate space, just in case the text might also be deducible from the sound of handwriting.
My source for that might be one of Viktor Suvorov's books.
You can't operate assuming all computers in the Capitol are hostile. How are the members supposed to do work if their computers are assumed hostile? Why even give them computers then?
> I would already assume Member computers are a huge attack vector, and act accordingly.
What would "acting accordingly" look like for you in that example scenario you outlined.
Being in Congress is not an automatic ticket to having all the country's secrets on your desktop, and things actually are compartmented quite heavily when necessary.
I'm not suggesting that they have _all_ the country's secrets on their desktops, but surely the speaker of the house needs access to their emails on their desktop. Those are private, but without them, why even give the speaker a desktop at all?
I once saw a citizen with a 6-shooter strapped to his hip at a Colorado county clerk's office peacefully fill out some paperwork for 5 minutes. What does this story tell us about what rioters did or didn't do while tearing up the capital building?
1 minute of Googling tells me that Colorado is an open-carry state, and there is no specific exclusion for county offices, so unless this was in Denver or another municipality that prohibits open carry I don't see the relevance of your story to what happened in the Capitol.
This is why both the local network and endpoints are no longer trusted in security models.
So I think other party stsffers are not trusted to be left alone.
There's lots of stuff you "could" do everyday, but the probability of getting caught is high, the ultimate impact to anyone else is low, and the severity of punishment immense.
All that changes quite significantly when even basic access control is lost and the building is overrun by unidentified belligerents for a few hours. I'm betting a number of foreign intelligence agencies were scrambling to see if they could take advantage usefully.
In this event you don't even know if such authorized persons had time to lock their computers.
Obviously that doesn't change the fact that the entire building should be considered compromised and scrubbed.
Greatly overestimating security impacts, the impacts of COVID, aggressive "new normal" lockdown proponents, militant preppers, etc.
Paradoxically, I think some might feel more secure when they are the messengers of chaos. I wonder if there's a psychological reasoning underneath.
A safe, regulated, mechanically functioning society day after day is boring as hell†. Catastrophe is one of the easiest changes to imagine and fantasize about. Which is probably also why dystopian cyberpunk is more popular than utopian sci-fi.
† If you don't get enough leisure time or have enough activities to fill it with.
Many want their life to be special, to be part of something bigger. Modern life can lack a sense of purpose and community, so even with infinite entertainment at our fingertips we still yearn for something deeper. Like you said, conspiracy or chaos can fill those desires. You get to be part of an "in-group" and be part of something bigger. Life just gets a bit more dramatic and interesting. Probably why cults can exist at all as well.
I used to wonder how anyone could be stupid enough to fall in with a cult, but after living a traditional modern 9-5 for a while I can totally see the hole that was missing that a cult, religion, conspiracy or commune would fill.
This can go to an extreme, of course. People seek security by modeling everything, playing it all out, and trying to prevent bad things from happening.
It's normal human behavior that is supercharged by modern information overload.
Historically, having such fetish is what helped to prevent catastrophes.
I would have expected way worse, including fires.
The media is not telling the truth about what happened.
"Terrorism: the unlawful use of violence and intimidation, especially against civilians, in the pursuit of political aims."
I dunno man, the attackers had flashbangs, zip ties, molotovs... If the building had to be evacuated, then I'd say it counts as intimidation. It was certainly in pursuit of political aims.
I think this counts.
Like I say, it would be difficult to file under terrorism. You're welcome to try.
The people showed up with molotovs, flashbangs, and zipties. That's intent to intimidate, even if the residents managed to get evacuated before we could prove that they weren't just comfort props from people who were merely cosplaying as terrorists.
Here's a copy/paste legal definition where I removed a lot of extraneous examples:
> Under federal law, the activity or attempted actions which could fall under terrorism charges include:
> government official kidnapping;
> arson or bombing property;
> use of explosives;
> attacking a federal facility;
> conspiracy to murder, kidnap, or maim;
> take a hostage;
> bombing public places;
I mean, they brought molotovs and bombs. And zipties. I'd say an attempt was made.
Then of course there's the fact that one of them murdered a cop by bashing his head with a fire extinguisher.
> the images I've seen don't seem to demonstrate much violence and very little intimidation on the part of the insurrectionists
And say you must not have watched any of the videos then.
Here's one example: https://apple.news/AZER7Cgj_RceFCKp74T_oDw
All of which is not of national security concern and most of which is already subject to public access via foia
Got a source for that? You really think a sitting Senator's laptop has zero useful data for a foreign government, or even the opposition party? Heck his browser history or synced texts could have enough blackmail material.
Nancy Pelosi is part of the Gang of Eight - https://en.wikipedia.org/wiki/Gang_of_Eight_(intelligence) which is briefed on National Security matters by the Executive Branch (this is top secret, special forces operations style stuff).
The latter can be particularly pernicious as it's hard to know the aggregate classification. I may be able to say in separate contexts "The XF-42 is capable of exceeding 1200 nautical miles per hour" and "The XF-42 is capable of flying in excess of 60k feet" but placing the two facts together can actually be classified (in practice, usually more than two details).
If I put together a long list of facts about the XF-42, it's classified, but if I separate each item onto a different page and tell someone else how to recompile the information (eg page numbers), it's fine?
I can't imagine a scenario where this model makes sense -- ignoring absurdities like classifying basic facts (sky is blue) and words (help) due to cascading classification.
It seems to me the rule should be that of poisoning -- any information in a document with classification X poisons the rest of the document to the same classification; or rather, a document classification is the maximum of its children
- We have a manned aircraft
- We have an aircraft that can travel above 60k feet
- We have an aircraft that can sustain or exceed Mach 8 (EDIT: strike this part as it connects two facts already: "at that altitude")
- We have an aircraft called the XF-42
- We have an aircraft based in Middle-Of-Nowhere, AZ
- We have 10 operational aircraft of some specific type
Any one (EDIT: or all) of those details may be unclassified, but as you start pairing them up classified information can be derived from it. Note that in this, somewhat better, example only one item identifies the aircraft (rather than my initial example in which both items identified it).
Publicly it may be known that an XF-42 exists, even where it's based, and that there are only 10. Publicly it may be known that an aircraft exists which is manned, travels above 60k feet and over Mach 8. But the two sets of data may not be joined in public because that would give more information than desired (in particular, that there are only 10 indicates a limit on the capability of the mystery superfast and high altitude aircraft).
EDIT: Regarding some of your other comments.
If I spread the information out and tell you how to reconstitute it so you can make a cohesive whole, I've just obfuscated the classified information which is the same as leaking it straight up.
Regarding "poisoning", this is how it's done. If you have a document with TS data, the document is TS even if it's a single line item surrounded by unclassified data.
Example: the XF-42 has a jammer builtin. The output of the jammer is classified. But the amount of power available from the generator is unclassified, as is the percentage of power used by the jammer. Individually, either of those facts doesn't help, but together they tell you how much power the jammer has, which can help our adversaries figure out how much power they need to burn through the jamming.
That said, if any fact is classified, that by itself will make the document it's in at least that classification.
EDIT: to use your poisoning example. If it's a poison, it makes the entire thing poisoned. But there are binary poisons. Two things together make a poison, even if neither alone is (very) poisonous.
Could I use Outlook to take some notes on my thoughts on that issue? Say as a draft e-mail? I don't think there would be anything technical to stop me, and it's not going to set off any automatic exfiltration flags.
But those notes could very well need to be classified. Does everyone in the Capitol with access to classified material have the necessary skills and incentives not to make notes about them on their personal computer?
You could of course write stuff down afterwards in an unsecure place but that is day 1 essential huge fucking deal no no. You don’t even discuss classified info outside a secure area, not in your public office not in the outback not ever. That doesn’t mean people don’t do it but when they do and it is found out it is a really big deal. Accidents do happen and there are protocols in place to deal with them when they occur. 99.9% of these leaks are extremely mundane low tier classification and are due to document misclassification etc. Sometimes the name of a project is classified and is leaked by reference etc but when it comes to actual important stuff people are quite competent at keeping that in secure areas.
A random member of the military or the administration would go to jail for a long time, a senator especially from the same party as the president would get away with it with impunity.
Access to classified information comes with training on properly handing classified information.
Mishandling classified information is a crime if you have a security clearance
There is a lot of private information on those computers, though, and the biggest risks there are the use of that info to harass staff and/or manipulation of it to feed conspiracy theories (see: Pizzagate).
Blackmail material is extremely unlikely since these are all government computers and everyone who works there knows they are subject to oversight.
Obviously, the security services stood back and had high level direction to do nothing. They left a few capitol police flapping in the breeze and the cavalry (national guard, other law enforcement) never showed up.
I work near a VA hospital, and a few years ago a deranged man was running around the grounds with a machete and what looked to be a rifle. They activated their protocol and within 10 minutes mutual aid (Federal Protective Service police, State Troopers, local PD were on site.
That didn’t happen. I hope Biden purges the top layers of career management in those police agencies as well as the commanders of the National Guard. They failed the nation.
The National Guard, on the other hand, you seem to be misinformed about its status. Most of us work regular ass jobs full time just like everyone else here and we're lucky to get 1/3 of our unit strength to report within a few hours. Plenty of service members don't even live in the same state where they are in the Guard, especially on the East Coast. Then it takes time to make a plan, organize, issue equipment, load/prep vehicles, and roll out.
Finally, NG commanders can't just choose to deploy somewhere on their own because there's an emergency. It has to be authorized by the state governor. I don't know how it works exactly for DC though. The Secretary of the Army was part of a press briefing Wednesday announcing NG deployment, but the NGs for the 50 states aren't part of the Department of the Army, but rather the states and the National Guard Bureau until mobilized under Title 10 authority (not a drop of the hat thing). Maybe the DC Guard is under some direct Executive Branch control which in this case would be bad news, because look who was more than happy to have the Capitol overrun.
There are credible reports of a vacuum in terms of communication or response from the pentagon guard brass. Seems unusual that you have a insurrection at the Capitol and the governor of New Jersey is activating people, sending State Troopers, and trying in vain to reach someone in the Pentagon.
The difference is the Governor of New Jersey directly controls the NJ National Guard. I have no doubt there was confusion about activating the DC Guard, as your sibling reply points out, the President is the Commander in Chief of the DC Guard. However, I doubt the Adjutant General of the DC Guard reports directly to the President, so for sure there was confusion in whatever layers of bureaucracy there are, and of course, the President wasn't exactly helpful in responding to the situation quickly or at all.
It's worth also pointing out that a big issue with National Guard mobilizations is funding. Since service members aren't on salary like the active component, then there has to be money set aside to pay SMs for their activation, someone has to decide which pot of money it's going to come from, authorize its use, etc, etc. It takes time.
In the case of DC (since Posse Comitatus doesn't apply), the capital would be better off having troops from the active component to draw on for emergencies.
Indeed it is. Since DC has no governor, the US president is the CINC of the DC National Guard.
Hence it is particularly damning that while the DCNG was activated two days in advance as the terrorist threat to DC became evident, the White House did not give the go-ahead for them to come to the aid of the Capitol Police.
Apparently this permission eventually came late in the day after events were already under control, reportedly conveyed by the Pentagon on orders of Pence rather than Trump.
Secdef could issue those orders in POTUS’ name, he likely has the delegated authority to do so, but the VP is not in the chain of command and has no authority.
Wait, what is the context on this? I saw the footage once before I knew she died. It honestly looked like law enforcement with guns coming up the stairs, and it looked like a crowd of people, not a woman acting alone. What area of the building was that that was extra-sensitive?
EDIT: I see now, other angles are easy to find. Trying to climb through a blockaded entry point as guns were already pointed at her...
I guess the woman, despite being a veteran (Air Force... why is it the Air Force has so many crazy people?), was so caught up in LARPing that she couldn't rationally evaluate that this was the last meaningful barrier to the House chamber and they might have more liberal rules of engagement or someone might panic and overstep their RoE to prevent an unauthorized mob from entering. If she'd climbed through, she could have opened the door to the mob.
On the other hand, I can see the argument that shooting her was an absurd overreaction. There were armed capitol police who had just come up the stairs behind her and that group of protesters, and they were doing nothing. The news reports that the justification for the shooting was that she might have been armed, but if that's really their rationale, it's a bad one. They should have retreated to the main chamber, because they weren't in a good tactical position, trying to defend a barrier with windows large enough for people to climb through. In addition, no such resistance was offered on the Senate side. When you're outnumbered that badly, unless you have special training like the Secret Service would, and plenty of ammo, you're not going to accomplish anything by shooting anyone, unless they are overtly threatening people such that you think you're going to die or be taken captive anyway.
I don't think Capitol Police are legally at fault in any way for her death, but I think they did the wrong thing there.
I can imagine the Capitol Police being worried that something very bad could happen if she was allowed to breach the barrier and run into the chamber.
It’s a good shoot pretty much no matter what else at that point. The police officer can reasonably defend that perimeter with deadly force.
Regrettable that it came to that, no one wants to see anyone due, but if you don’t want to get shot don’t go to a riot.
now they gonna check everything for possible keyloggers or whatnot
and theres no way of knowing if any computer was left unlocked and might have had something installed on it
Windows-L is the keyboard command to lock on Windows. I strike it by habit every time I get up from my chair.
Easier than typing a key combination
Some folks at my office have ID cards that need to be inserted to operate the computer (it locks when the card is removed from the reader). The smart ones have attached the card to their belt so that when they walk away, the card goes with them and the computer locks.
"I just need to download the presentation from my website, can I use your computer real quick?"
Do you really think an 80 year old anti-tech representative would even consider that a problem?
I'd have to assume the computers are already protected from that attack vector.
Edit: I'm getting a lot of downvotes without replies, which makes me thing people don't agree with this. I wonder, how many have actually worked in corporate IT security for a non-tech company with older employees? Because things like this definitely happen on a daily basis.
Case in point: Pelosi's screen was unlocked when that guy sat down, which was at least 20 minutes after she left. That means that not only does she not lock her screen when she gets up, but the screen saver doesn't even auto-lock after 20 minutes.
i worked for a long while in various near-it jobs before transitioning to my current position in cyber /devops
i am quite sure that non-technical office security is crap under the best of circumstances
and that before a bunch of yahoos start rampaging around it
at least the employees know they are being tracked and easy to find ,pass security clearance and probably are not the dumbest of people
whereas Trump lot were obviously idiots,and under an impression they would not be persecuted
i dont see why some foreign actor couldnt pay one or more of them to install something or other
The videos showing her get shot had several police in the area and they never looked like they were very interested in protecting that area before she was shot.
[Viewer discretion advised]
TLDR: It's likely there are secret service members in the Captiol at any given time.
having worked for the US gvt, though not in legislature or dept of state, PIV cards were always required to access a gvt machine, and leaving your PIV inserted while absent from the room was, in theory, a serious offense.
Are congress critters and others not required to use ID cards when accessing gvt networks?
Just the picture of Pelosi's desktop indicates there's no automatic screenlock, which is a fairly low bar as controls go.
Not that it's much better, but it is still an important clarification.
But Capitol has SCIF's for storing top secret information and committee meetings that deal with classified information. You can't bring your own laptops or even phones to them.
Tiny damage in comparison in context.
As a child, I knew Watergate was a scandal that impacted the presidency. I think I was an adult before I learned it involved wiretapping. I remember being rather surprised to learn some of the details as an adult.
A note for context: a friend of mine who works in the capitol brought me along one day and asked me to wait in the minority leader's antechamber (a large room like a hotel conference room) for a few minutes while a vote was called. There were various bits of CAT-5 sticking out of the wall and I was unsupervised for nearly a half hour. Various people came and went and paid me no heed. I can't imagine I'm the first or last person to have been in that situation.
TL;DR special secure facilities exist for a reason. The Capitol is used to randos.
And why do they even need offices in the capitol building at this point? Everything could be done online.
However, if congress can learn a bit about the pitfalls of commonplace devices, that would be nice.
As such this is not a new situation, but it's interesting that devious motives are attributed when the protester has a particular set of politics, or because they were successful in breaking past security whereas previous protesters attempted and failed.
Given that Congress was recently sworn in, there probably was nothing just lying around, but that is the sort of physical evidence that would be especially sensitive and embarrassing to leak.
I think we are fast approaching the point where the whole concept of "society" will have to be abandoned...
Most of the readers here know quite a few things about system administration and/or IT security. As I read this thread, most comments only discuss the IT security implication or express sympathy for the poor souls that will need to clean up this mess; there's hardly any discussion about the morality of possible leaks.
It was initally assumed to be a leak on moral grounds. And ended up just putting a lot of people in danger, and disrupting international diplomacy.
I dont think many who know the details support the leak.