China Denies Responsibility For US Government Data Breach

schwit1 writes: On Friday, Beijing responded to allegations from Washington that China was responsible for a cyberattack on the U.S. Office of Personnel Management that compromised the personal data of some 4 million government employees. The accusations, China's foreign ministry said, are "irresponsible" and "groundless." The OPM breach is the latest in a string of cyber 'incidents' that have coincidentally occurred in the wake of the Pentagon's new cyber strategy.

ZeroHedge argues, "Whether or not the most recent virtual attack on the U.S. did indeed emanate from China or one of Washington's other so-called "cyberadversaries" (the list includes Iran, Russia, and North Korea) will likely never be known the public, but rest assured the blame will be placed with a state actor so as to ensure the DoD has some precedent to refer to when, for whatever reason, the Pentagon decides it's time to deploy an "offensive" cyberattack later on down the road."

Irrespective of where the attack originated, it appears obsolete technology was ultimately to blame, because as Bloomberg reports, "Einstein" wasn't much help in preventing the intrusion: "It's behind schedule, the result of inter-agency fights over privacy, control and other matters, and only about half of the government was protected when the hackers raided OPM's databases last December. It's also, by the government's own admission, already obsolete. Over the last several months, U.S. officials have said that perimeter-based defenses such as Einstein, even backed by the National Security Agency's own corps of hackers, can never prevent break-ins."

It doesn't matter matter who did it

[Karmashock]

What matters is that the ongoing incompetence of the federal government permitted it to happen.

I'll say again, instead of getting the NSA to anally probe your own people utterly violating the 4th amendment... why don't you task your teams of tamed hackers to strengthen security throughout the government's computer systems?

They know how to breach systems so they know how to secure them. All they have to do is make the system so tough that even they couldn't get into them. And task a few of them to literally try to emperically test whether the security has literally arrived advanced to that point.

This is not an unreasonable standard.

If the NSA can breach your systems than so can the chinese probably. So if you want to keep the chinese out... make it tough enough that the NSA can't get in.

Any excuses should be met with summary executions. Just pistol to the temple and a query for any further questions?

Seriously though... the bad security is not acceptable. And without some drastic changes in culture, the systems will remain open books to any nation or even many criminal organizations that want in for any reason.

That's pathetic.

And a big part of the issue is that we're not putting technical people in charge of security.

Look, you wouldn't a guy without experience running warships in charge of the Navy would you? Would you put someone with no experience flying airplanes in charge of the air force? Then why are we putting non-computer experts in charge of computer systems?

They don't know what the fuck they're doing. Its like putting an accountant in charge of the Marines or putting the Marines in charge of a law firm. It doesn't make any sense. Stop doing that.

If you're having a hard time finding someone with command chops in the technical fields, then do what you do in every other branch of the government when you encounter that exact problem. Have a training program where in your people can get promoted into management. Why is this rocket science? The government understand this everywhere else in largely flawlessly. You need someone to run some aspect of the justice department? You promote someone with skills from within the department that understands LAW and law enforcement.

The ongoing idiocy of my entire culture... forget the government because the corporations are little better in most cases... it is shocking. They almost never put people that understand the tech in charge of the actual f'ing machines.

They understand they need to hire a lawyer to run the legal department. They understand they have to hire an accountant to run the Accounting department. They understand they have to hire a marketing guy to run the marketing department. But when it comes to IT? Well you can use anyone apparently. Put an accountant in charge... or a lawyer... or a marketing guy... or whatever. A fucking bag of dead kittens would appear to be sufficient.

The governments and big corps will say "but it will be really expensive to fix our problems"... it is only expensive because you've deferred maintenance for a million years. That like saying you can't fix the roof that has rotted out because that will be expensive. You fix that roof. You maintain that roof. You do not fuck with the roofing guys when they're telling you what has to happen. Because you know and understand that failing to do it means you get rained on.

The computer systems are the same thing. Only you only notice there is a problem if you know enough to notice or if there is a huge fucking disaster. If neither applies then people can be oblivious. WHich is possibly the attraction of people that don't know what they're doing... they can be oblivious.

Re:It doesn't matter matter who did it

[Fire_Wraith]

Furthermore, this is nothing new. In fact, it's been a known issue for a long time. The NSA is not only responsible for signals intelligence, but also has the responsibility of securing U.S. Government communications, i.e. Information Assurance. In the past, this meant coming up with strong codes and encryption systems of our own, while the other part of NSA worked on breaking enemy systems (like the WW2 Japanese Naval and Diplomatic codes for instance). The problem with that today is that there's no longer a difference. Everyone is using the same hardware and software platforms. The same systems that the US Government uses are also the ones used by cybercriminals in Krasnovia, terrorists hiding in caves in Dirka-Dirkastan, and other governments around the world, not to mention our own citizens. In theory that means the NSA would have to balance between using flaws it finds to exploit its targets, and making sure the flaws get patched so we're not vulnerable. If the results we see are the only measure, then they're perhaps tilting badly towards the intelligence/exploit side. I would note though that this isn't the only factor. Overall I'd say that the executives in charge, whether we're talking about the corporate world C*O types or Government SES types, put far too much value on accessibility, availability, and ease of use, and don't take the risks seriously enough. It's either that or they're bullshitting us about how damaging it was when the breach does occur, because if it was truly unthinkably bad then they should've taken it more seriously in the first place.

Re:It doesn't matter matter who did it

[Karmashock]

They put an emphasis on accessibility because they're personally clueless.

I saw something about the Navy considering a BYOD policy with the Navy's computer systems.

I mean... what the fuck? These idiots should just get a custom US government smartphone and anyone that asks for an iphone should get a black bag thrown over their head and sent via CIA cargo plane to a black site.... where upon pictures of their electrified genitals are leaked onto the internet...

Not really... Just... there's stupid and there's so stupid that it should be classified as treason to promote that person above latrine digger.

this is the government and the military... and if the idiots running these systems can't be bothered to take security seriously than we need another group of idiots.

Re:It doesn't matter matter who did it

[DescX]

Wasted my mod points or I'd vote you both up; sorry!

Most of the senior and lead postings I see in my area are asking for appropriate technical skills, with odd expectations for years of experience. That would be fine if candidates could sit down and hash things out in an interview, but, recruiters. Many of them aren't reading resumes. I tell them right off the bat that I refuse to participate in defense/military work in any way (there goes 75% of my opportunities ;)). I'm also clear about having over 10 years of extreme hobby experience, and that only a fraction of my skills have been tested in a workplace with a proper team. ...despite this, I was getting enthusiastic calls at least once a week for writing nuclear efficiency algorithms, holding team lead positions, developing military radar tech, working top secret clearance jobs, and lots of stuff demanding Oracle product knowledge (the only tech giant whose stuff I have literally never touched, Java aside, and my resume makes this pretty damn obvious). WTF?! This is stuff I am wildly unqualified for, or have explained I'm entirely against on an ethical basis.

I would drag out phone calls, keeping recruiters on the line longer than was necessary to make sure they were at least listening to me. I altered profile settings, iterated on the CV a few times, and the nonsense offers didn't stop. Then, I found out I couldn't delete my account on half of these sites, leading to some interesting emails with an recruiting IT department head. Two firms had no issue deleting my account and kept things simple (hooray!), others had a button hidden away on their site... but one place tried a refusal conversion on me. WTF?!

But it's not just recruiters, or companies. Massive government contracts feed voracious consultants readily, and an endless supply of people who would rather lie and fuck up on the job believe their need for a paycheck supersedes basic social responsibility - like don't try to take a job you can't do if it might kill someone. The scary part is that I could have pulled one over just about any of these recruiters with a few keyword changes and a tonal drop in my voice. If the hiring manager at the next stage was a dunce, I could have easily found myself writing code that actually carries a risk of ending life. Third time, WTF?!

Those who can, do; those who can't, teach. http://www.stilldrinking.org/p...

Re:It doesn't matter matter who did it

[DescX]

Markup fail! :) The line about teaching was supposed to be a joke, but I can't remember it now. The link's better anyway ;)

http://www.stilldrinking.org/p...

Re:It doesn't matter matter who did it

[vlad30]

Then why are we putting non-computer experts in charge of computer systems?

A fucking bag of dead kittens would appear to be sufficient.

The governments and big corps will say "but it will be really expensive to fix our problems"

Nepotism explains all the above

Yes its because the relative/friend thats hired to managed to string a few choice words they heard or read of news articles and looks the part. Expensive bit explains the large pay packet. This person would never get a job in private industry IT, who am I kidding nepotism occurs in private industry too,

Re:It doesn't matter matter who did it

[Holistic+Missile]

Look, you wouldn't a guy without experience running warships in charge of the Navy would you? Would you put someone with no experience flying airplanes in charge of the air force?

The current commander-in-chief of the US military was a community organizer.

The previous one joined the Texas air national guard to avoid being drafted.

The one before that went to college in England to be deferred from the draft.

The one before that actually enlisted in the navy following the attack on Pearl Harbor to fight for his country. He served as an aviator for the duration of the war.

The one before that served in the army, as an officer, before and through WWII.

From this point, all of them back to Truman had a military background. FDR served as secretary of the navy in WWI.

For 22 years and counting, the top military commander in the US has had no real military experience (not even peacetime duty)...

Re:It doesn't matter matter who did it

[ScentCone]

no real military experience (not even peacetime duty)...

Sure, being in the National Guard isn't quite the same as being full time in the Air Force, Marines, Navy, Army, or Coast Guard. But you absolutely do risk getting deployed. And the one you're mentioning put in the time, effort, and real risk involved in flying military aircraft. People die learning to do that. That (and being governor of a large state) is a lot different than playing local politics in Chicago. Even Bill Clinton's slightly oily duty as gov of Arkansas was some prep for a bigger executive position.

Re:It doesn't matter matter who did it

[penix1]

First off let me start this by saying I work in Homeland Security for my state and used to work for the feds doing the same thing. I received my notice about the breach at a staff meeting. The word is it wasn't a hack into the computer but it was malware installed on a computer at OPM. It was installed in December and wasn't noticed until April.

Now the question I have is was the individual that brought it in disciplined?

Re:It doesn't matter matter who did it

[Karmashock]

... way to strawman the fuck out of me.

First the commander and chief is the US President. He is also the head diplomat, the leader of the country, has enourmous control over the banking system, can dictate a great deal of policy to the legislature, has enourmous regulatory power, and yes... is also in utlimate command of the US military.

To qualify for all these positions, he'd have to be a general, a legislator, a legal expert, a financial expert, etc.

A CEO for example of a large corporation does not need to be an expert in every thing the company does because he delegates technical things to specializes below him in the chain of command. The president is the same way.

So no, your point about the president is not a flaw in my argument.

So... did you have a real point? Or just "that"?

Re:It doesn't matter matter who did it

[Karmashock]

A better question is why you let people in OPM install executable code on workstations?

We've had white listing security information security systems for ages that are administrated by the sysop.

He designates the code that is permitted to run on specific machines by specific users and anything that isn't that code is not authorized to run.

Which means if some jackass tries to run an angry birds EXE on your system or whatever... it won't run. And depending on your security policies, the mere attempt can create a security flag with the system administrator.

So... why is that not in place when its totally easy to implient as of now?

And beyond that, I'm guessing your workstations are not terminals slaved to a terminal server? The virtue of the terminal is that all workstations operate off a standard system template that is reflreshed after every logout. The only things that are stored between login/logout are things in the file servers and the databases. Control of viruses, malware, or just bullshit programs is very easily tracked and controlled. Also any problem with the machines is a lot easier because the physical workstations are dumb terminals that can be junked for practically nothing and replaced... plug and play. And there's no need to install a new operating system or programs on the new system because all of it is on the terminal server.

Just saying. I'm sorry if I'm sounding like a dick here. But whomever manages security in these departments needs to kneed hard enough in the groin that it causes an improvement in their priorities.

If you're saying this was caused by some dipshit user installing malware on a workstation that actually reflects very badly on the system design. Not the dipshit employee.

Firing the dipshit employee won't fix the problem. The problem is that any dipshit employee can install malware on your systems.

Re:It doesn't matter matter who did it

[Karmashock]

Bullshit. If you know how to attack then you know how an attacker will attack and you can test systems for security by attacking them.

Is this system secure? Attack it... did it withstand the attack or not? How did you get in if you got in?

Anyone that is that good at attacking knows how to defend.

I'm not debating this... you want to disagree on some myopic premise. Fine. We agree to disagree.

Re:It doesn't matter matter who did it

[schnell]

I saw something about the Navy considering a BYOD policy with the Navy's computer systems.

I mean... what the fuck? These idiots should just get a custom US government smartphone and anyone that asks for an iphone should get a black bag thrown over their head

Have to be a little careful how I respond to this... let's just say that the last thing you want is the Federal government (or at least the DoD and the Intel community) picking out your cellular technology for you. The world of cell phones has evolved in less than a decade from dumb phones that couldn't even text to portable supercomputers; GPS-enabled dog collars and pill bottles; and increased worldwide coverage at (inflation adjusted) equal or lower prices to what you got 10 years ago. In the US Federal government, 10 years has brought you the F-35 Joint Strike Fighter at billions over budget and years behind schedule. Let's please never think that the US government is compatible with cutting edge technology in anything that does not evade radar, blow things up, or do so simultaneously.

In the US government world, in a SCIF (Sensitive Compartmented Information Facility, anywhere where SECRET/TOP SECRET/SCI information is shared), you can't even bring a cell phone into the facility. Think about this: everyone at the NSA, DISA, CIA Langley etc. misses your phone call unless they are sitting at their desk. Forget that "Homeland" or "24" bulls**t about people using their Droid Razrs in CIA headquarters or wherever the hell Jack Bauer is supposed to be (Federal Secret Counter-Non Existent Surveillance Footage - Large Screen TV and Fake Hologram Agency?). This is how forward thinking the government is about mobility.

Additionally, in 2008 the government (NSA and DISA) got together to decide to do exactly what you suggested. The result? The Secure Mobile Environment - Portable Electronic Device (SME-PED) initiative, which began with a forward looking technology initiative, and by the time it had run the gantlet of DoD/Intel requirements and Federal acquisition policies, had turned into a gigantic brick of a device - running Windows CE - that cost multiple thousands of dollars. This was launched shortly after the iPhone hit the market.

I can't share the detailed results for a variety of reasons, but I can say that adoption was very poor. Real-world users decided to either stick with earlier, cheaper secure dumb phones; or just risk things and make phone calls about secret information on the mobile phones that they actually carried every day and wanted to use. At any rate, the lesson learned was that 1.) people love cell phones because they are cheap and people have lots of choices; and 2.) when the US government gets involved to pick a "secure" cell phone that all its employees should use, nobody actually uses it.

Re:It doesn't matter matter who did it

[Karmashock]

yes it is true. Bags of dead kittens run many US Federal Departments.

What are you? A robot?... and a retard?

Learn the difference between exaggerations made for comic/dramatic effect and statements meant to be taken literally.

Is this your Commander Data impersonation? Do you want me to tell you what sex feels like or something?

Guys, did IBM's Watson escape the lab and start posting on social media? We should know these things.

Re:It doesn't matter matter who did it

[Karmashock]

If they can't subcontract one of the major suppliers to turn out a phone with tweaked firmware to suit the NSA's security recommendations then possibly we should just all stick shotguns in our mouths and hope that something evolves from our festing remains to have more wisdom than this species.

This isn't hard.

As to the issues with consolidating aircraft, that is mostly an issue of all departments being forced to use the same fucking airplane.

That's a mistake. It had Lockheed designing a plane that was right for the Navy, the Marines, and the Army. That's stupid. And to make matters worse they tried to harmonize that with the Airforce's air superiority program.

I can send you interviews with Admirals and Generals where they basically say it doesn't cut costs to combine things because they've very different missions and you just get something that is compromised into uselessness.

What is more, every design decision has to be checked with every god damn branch of the military because they're all basically using a very similar platform.

The F35 should have been like... five or six different planes. Each with their own design considerations, life expectancy in the fleet, and supply chain.

The marines wanted something like the harrier jump jet. Boeing had something like that ready to go for a fraction of what the F35 cost. Give them that.

The army doesn't care about vertical take off or landing. They're happy to build an airfield so long as it doesn't have to be perfect. They like big cargo planes and big bombers... so they're going to have access to big airfields. The army likes firepower where as the Marines prefer flexibility and some nimbleness.

The Navy is all about pessimism and preparing for the worst. They like things to have back ups and back ups of back ups. And fail safes when the back ups fail. So they like their planes to have two engines for example. Because they don't trust that one of those engines might die for no reason and cause the plane to go into the drink. They also like range. That lets the carriers stay back and well out of harm's way. Vertical take off and landing are not required when you have Nimitz Class super carriers.

And the airforce likes to paint shit black and go veroom veroom. Seriously though, they like speed, stealth, and fighters that turn on a literal dime. The number of engines, how much fire power it has, or whether it can land vertically isn't really important to them.

Trying to combine all these objectives into a single airframe was dumb. And that's why the F35 was a disappointment.

And to make matters worse, the F22 is absurdly expensive which is driving us to replace its role as much as possible with drones. That is our goal there. The F22 might be relegated to a forward drone commander. All that maneuverability will be pointless.

But to the topic of smartphones... I wouldn't have every single agency use the same stupid phone. That's clearly a bad idea. let them all get their own. They can work out the details. the costs shouldn't be a big deal. An order for 100,000 smart phones isn't going to be expensive on a per unit basis.

Re:It doesn't matter matter who did it

[Karmashock]

Well... it isn't a matter of corporate versus private. Technically either could be better in almost any situation.

The issue is competence. If one system is competent and the other is not then... one will work and the other will not.

Re:It doesn't matter matter who did it

There are SCIFs where you can bring in your phones.
More importantly, almost no one has an office in a SCIF. So this means they miss your call if they are in a closed area, and didn't route their desk line or mobile number to the phone closest to whatever workstation / file they are working at.

Re:It doesn't matter matter who did it

[Rich0]

If the NSA can breach your systems than so can the chinese probably. So if you want to keep the chinese out... make it tough enough that the NSA can't get in.

Good luck with that. When there is no cost for mounting an attack, an attacker will almost always have an advantage over a defender.

This is like arguing that if random hoodlums keep breaking into your house you should simply upgrade the security of your house until they're unable to break in. If criminals can attempt to breach your house without any risk of punishment, then you've lost. There isn't a wall built by man which can't be breached by man. Sure, you can invest enough that it isn't worth their trouble but we'd all be broke if we actually did it that way. Instead we hire police, and instead of letting people hammer away at our doors all night long with construction equipment, we call the cops and they haul the criminals off to jail.

The problem with the internet is that we treat it differently from everything else. If you're in a nation that turns a blind eye to hacking (or sponsors it), then you can hack away at targets all day long without any real risk of punishment.

Re:It doesn't matter matter who did it

[Holistic+Missile]

No straw man intended...

Just a thought that I had. I totally agree with your sentiment about the competence of the people involved. I have just noticed over the years that experience doesn't seem to mean as much as it used to (in industry, as well). It's the old, "it's not what you know, it's who you know" thing being practiced literally.

Re:It doesn't matter matter who did it

[Holistic+Missile]

I guess that I was being kind of unfair to George W. Bush - national guard duty may be mostly part time, but it is still military service. He and Clinton both had family connections that would have made sure that they never served in Vietnam. On second thought, Bush's method of dropping out of the draft pool (enlisting in the national guard) was much more gallant than Clinton's (hiding at Oxford University in England).

I'll re-phrase my statement to say that only one top military commander in the US in the last 22 years and counting has had any military experience.

Re:It doesn't matter matter who did it

[Karmashock]

That's a lot of it.

In industry, I see a lot of lawyers and MBAs put in positions that are not appropriate.

My belief for example is that the CEOs of technical companies should have the CEO be someone that personally understands the technology that underlies the product they're providing.

They don't have to understand everything. Just their product.

So I think car companies are better run by engineers. I think computer or IT companies are best run by people with a CS background. I think medical companies are best run by doctors. I think law firms are best run by lawyers.

The point of the MBAs is to serve a competent second in command type people that provide assistance with logistics and organization. But knowing how to organize something doesn't mean you know how it should be organized.

In regards to the IT managers in the government and corporations, they need to put CS or IT background people in those management positions. If they have too many MBAs or lawyers that need management positions that isn't my problem. Find a department they can run comptently.

Here is how you know if a manager shouldn't be managing something:

Do they know when their employees aren't doing a good job?

Now, without a CS or IT background how is your manager going to know that? He isn't. He has no hope of ever figuring that out unless there is a disaster and even then just because there is a disaster it doesn't mean your people even made a mistake.

Lets say you're running a car company... if you're not an engineer than how do you know if the people making your product are doing a good job or not? You can't know. You don't know enough to judge.

And so on. A lawyer running a law firm is going to know if one of his junior partners is fucking up or if one of his senior partners is slacking off. Someone without a deep experience in the profession and industry isn't going to have a clue.

It is why I think MS had trouble after Gates left and it is why I think Apple is going to run into problems now that Jobs is gone.

Re:It doesn't matter matter who did it

[Karmashock]

As to inequities between defenders and attackers, those are always technology specific.

Armored knights for example were quite viable until the fire arm.

We're talking about network security.

Saying you can't secure these systems because of some analogy about people putting bars on their windows is not constructive.

Re:It doesn't matter matter who did it

[penguinoid]

You think America's cybersecurity is bad? The are even worse at personnel -- for example, they may have let a few people who despise and violate the highest law of the land into important government offices.

Re:It doesn't matter matter who did it

[Karmashock]

That's politics. I accept that people I don't like get elected to office sometimes. My problem is when incompetent people are hired to run the machinery that keeps the institution alive.

By all means... be corrupt... but don't be incompetent.

I can tolerate people stealing from me a little bit. Its not avoidable. But if they're stupid on top of that, then that is not acceptable.

Re:It doesn't matter matter who did it

[strikethree]

Look, you wouldn't a guy without experience running warships in charge of the Navy would you? Would you put someone with no experience flying airplanes in charge of the air force?

You wouldn't put an MBA in charge of precision equipment manufacturer would you? You wouldn't put an MBA in charge of a web search/directory company would you?

I could go on and on, but yes, you would. All it takes to run a business is an understanding of business processes. There is no need at all to actually know anything about what the business does. Look at Apple. They had the CEO of PepsiCo running the business and look at them now. Steve Jobs was just a slick salesman is all. He was just riding on the well organized business that the previous MBA had set up for him.

I am wondering if anyone heard the sarcasm in there or if they were just nodding in agreement... until they read this sentence.

Re:It doesn't matter matter who did it

[Rich0]

Sure, it isn't a perfect analogy. However, I think that it still holds true.

If you're a hacker in a legally-privileged environment (either the local government actively protects you, or simply doesn't bother to go after you), then the only cost to trying to hack into systems is your own time. Anytime you come up with an exploit you can easily automate testing it against countless targets. That acts as a force multiplier.

The usual offense vs defense relationship also applies. The attacker has the initiative and gets to pick which defense they want to attempt to breach. That means the attacker can apply his greatest strength against the defender's greatest weakness. The defender has to be strong everywhere, but the attacker just needs to be strong in one place.

Of course investing in security will help, but I fear that it is a losing battle against determined attackers. I can't think of any solutions that wouldn't involve essentially dismantling the internet as it exists today.

Re:It doesn't matter matter who did it

[Karmashock]

The problem with your argument is that perfect security in computers is actually possible... theoretically. Perfect defense in conventional military terms is not even theoretically possible.

You control too many things in a network for the two situations to be analogous. They can't attack you unless they get into physical proximity of your systems or intrude through your firewalls.

That's already a huge advantage. Think of that in terms of military defense.

Imagine if the enemy could only attack you through one little mountain pass and no where else. All you have to cover was THAT entry way.

Then consider you don't need to let just any jackoff through the pass. Instead, you can block anyone from entry except those you've determined to be authorized.

Intrusions are thus a matter of determining who is authorized and who is not through your gate.

There is no question of your supremacy at your gate. You can't be credibly assaulted.

A hacker is more like a smuggler than an invading army.

Now if we think of this like smuggling... can that be stopped?

Well, they can only enter through that gate. They can't sneak in anywhere else unless your organization is far more incompetent than we need to worry about in this thought experiment.

So how do you keep out or detect 100 percent of smugglers?

1. You control the protocol of entry such that no one can enter unless they're very familiar with the system. Secret handshakes and the like. An insider could out your systems but unless they have that they'll reveal themselves.

2. You segregate the data flows into types. This type of data goes here. This type of data goes there. Smugglers tend to get through by mislabeling things. This bag full of drugs is relabeled as coffee. But if you make it impossible for the box labeled coffee to go anywhere but the coffee warehouse than you restrict the distribution of the drugs once they get past the front gate.

The point is if you set up your firewall rules properly it will be very hard for anyone to do anything. High security systems for example shouldn't be conducting all affairs over VPNs. This means someone trying to access the system without the codes and encryption for the VPN can't talk to that system at all. That is the secret handshake.

Have we seen any of these systems get their VPNs breached? Nope. The systems breached weren't using VPNs.

to say that we can't secure systems because bad security policies or absent security policies get breached is silly.

You lock it down and they're not getting in.

I could go through a long list of protocols that could be followed that would make these systems 100 percent hack proof.

No. 100 percent. NSA proof. FSB proof. No one is getting in.

The only thing I couldn't stop would be guys showing up to the data center with guns and shooting their way in. That is a security situation for someone else.

But if your concern is keeping hackers out? 100 percent security is possible. Not 99.9. 100.

Re:It doesn't matter matter who did it

[Karmashock]

Thank you for the last sentence. Due to Poe's law, you can't tell when people are being sarcastic otherwise. :)

Re:It doesn't matter matter who did it

[Karmashock]

Cite one, shortstack and I'll either admit error and thank you for the correction or correct you and expect you to thank me for that correction.

Hurry up. The posturing and pretension bores me. Either pull the trigger or put it away.

Re:It doesn't matter matter who did it

[Karmashock]

You said that the rest of my post was nothing but the dead kitten comment writ large.

I asked for examples. Lets go through that little assertion... I've got the blades on the chipper oiled and I'm more than happy to feed your argument into it.

Re:It doesn't matter matter who did it

[Rich0]

Imagine if the enemy could only attack you through one little mountain pass and no where else. All you have to cover was THAT entry way.

Sure, but we're talking about a gate that routinely allows millions of people to go through in both directions every minute, and somebody can pound on it continuously 24x7 and you will refuse to pour boiling oil on them. Oh, and 99% of the time anybody going out isn't inspected at all, though I will concede that this doesn't have to be the case.

Is perfect security theoretically possible? Sure. Are we ever likely to achieve it on a non-trivial network? Probably not.

And while it is difficult, you can penetrate computer networks without ever going through the firewall, or even if the network has no gateway at all to the outside world.

Re:It doesn't matter matter who did it

[Karmashock]

No.

You set your firewall rules up so that isn't how it works.

You let authorized users in and out... and only to access other authorized systems.

If someone says "but I want to access my facebook account"... you tell them to save it for when they are off government time.

The firewall rules are too permissive and that is a large part of the problem. Lock it down so the systems only communicate with known systems that are known to be good. And only through VPN.

The hacks are not coming through VPNs. Fix the firewalls and the hacks will stop cold. Its not as hard as people make it out to be. It just has the price that employees no longer treat the workstations like personal computers.

They are not personal computers. You lock down the communications so they can't access anything they do not need to access and then you lock down the application privelges such that only code that is approved by the admin can run. Nothing else.

No checking your face book... no installing angry birds.

I've seen sysops so bad they had some users running torrents on their workstations. F'ing torrents. They were downloading pirated movies and stuff to company systems. Installing malware ridden games and other programs...

There's only one way to stop that. You lock the systems down so they don't do anything that you don't want them to do.

Everywhere I've done that has flawless security. Never a breach. Never an issue. The systems are also a lot more stable. The employees don't like that they can't check facebook on those system. But I give literally no shits.

Re:It doesn't matter matter who did it

[Rich0]

Lock it down so the systems only communicate with known systems that are known to be good. And only through VPN.

Obviously if your network isn't connected to the network it is harder to break into than a network that IS connected to the internet.

However, that isn't very helpful for networks that actually need to be connected to the internet.

When I'm at work it is pretty useful for me to be able to use Google. I look up stuff all the time from websites run by companies who aren't screened vendors for my employer.

Simply closing off your network entirely from the internet isn't really a practical option in most cases. Certainly for really critical networks it should be done, and you'll note that nobody was stealing nuclear launch codes here. The social security numbers of every government employee aren't actually classified information.

And don't get me started on why things like social security numbers shouldn't be sensitive information in the first place. I should be able to give you a copy of every government-issued document I have ever gotten, and it should not be possible for you to impersonate me using it.

Re:It doesn't matter matter who did it

[Karmashock]

As to them not putting technical people in charge of security... okay:
http://en.wikipedia.org/wiki/D...

That's a naval admiral in charge of the NSA.

Think about that.

Do we put anyone in charge of the Navy except for people with naval experience? No we do not.

So why do we put people with no computer experience in charge of the fucking NSA?

And that sort of thing is typical. Now... am I going to get any more back talk out of you? Do you have a legitimate comment you'd like to offer? Or can I expect more bullshit from you?

Three options. You accept my point, you offer a counter argument with EVIDENCE because I just presented some, or I get to take you even more lightly than I already do.

Re:It doesn't matter matter who did it

[Karmashock]

Its not a question of being connected to the internet. It is a question of firewalling that connection so that only communications you approve of can flow through it.

And then setting up the computes so they can only run approved executable code. These things can be done. I have done them.

As to people that need to use google, what do you use google for?

1. Do you use few specific websites or do you need access to ANY website? I would argue that if you had to sit down with your security team and tell them EVERY site you needed access to it would be a finite list. I would then specifically give YOUR machine or which ever machines or users needed access to those domains access to those domains. And that access would be restricted to port 80 which is websites, and only your browser would be able to access them.

Do you see? A virus or worm couldn't contact its master under that system unless its master was one of those domains you cited. And even then it wouldn't be able to connect unless it was using your web browser to do it. And even then, you'd have to be logged in on your account to even give your browser that authority.

A worm that can get through that is something I've not seen yet. They just don't. The worm has to infect the server, the router, the the firewall to get out under my system. And that isn't happening because I don't permit workstations to send anything to those systems that is not authorized by me. So the worm can't spread its infection to security controlling infrastructure and it can't access the internet because I don't give workstations more privileges then they need.

I use VPNs not only externally but internally within. You want to access the database or the file server? Fine... login to the internal VPN and you can do that. The communications between that system and your system are encrypted and the protocol is tightly controlled. You can't do anything besides what I what I let you do.

2. Beyond that, I like to use terminal servers so your workstation is in most cases a template sitting on a terminal server and it refreshed from the template after every logout. So even if you infected your workstation, simply closing it and opening it again will remove the infection.

3. And you're not going to infect the workstation because I'm not going to let you run executable code on it that I haven't approved. what do you need to run? Your webbrowswer? Your email client? Some word processor? A a spread sheet program? Access a corporate database or three? Fine. You can run all of that. But I will grant access to each of those specifically.

I don't even let my users run notepad. They don't need it. They can't run minesweeper... ti isn't even installed but if it were they couldn't run it. They can't run ANYTHING that I have no specifically authorized. The System account has authorization to run most things but the USER account can only run perhaps 10 programs total at most. Nothing else. They can't even open a command prompt. You can't do shit on those machines unless I specifically allowed it.

And while you might be thinking "wow this guy is a control freak"... that is my fucking job. I control the systems. they do what I want and nothing else.

I am a big believer in what I call "white list security"... Most people use what can be termed "black list security". they have huge lists of all the things you can't do. That's how an anti virus program works. It looks for bad code and disallows it from running.

I do the opposite. I identify GOOD code and permit that to run. All code that is not good and approved is passively denied access. No exceptions. that means I am immune from most zero day attacks. The new virus or worm or whatever simply won't run.

And even if some crazy how you do infect one of my systems it will purge the infection on log out because the entire template is refreshed. And even if some crazy how you survive that, you're not getting through my firewalls.

What I'm trying to make clear here, is that contrary to yo

Re:It doesn't matter matter who did it

[Rich0]

As to people that need to use google, what do you use google for?

If I knew the answer to that I probably wouldn't need Google. I'd just go to whatever reference I needed directly, and most likely I'd have a copy of it saved locally anyway unless it were something continually-updated.

I am a big believer in what I call "white list security"... Most people use what can be termed "black list security". they have huge lists of all the things you can't do. That's how an anti virus program works. It looks for bad code and disallows it from running...I do the opposite. I identify GOOD code and permit that to run. All code that is not good and approved is passively denied access. No exceptions.

No question that this approach is more secure when you absolutely need to have this level of security and can afford the cost. However, implementing this costs a fortune. In most industries companies that make this kind of investment in security are likely to just go out of business, since their competitors get by with far less security.

The security-conscious guys at work try to do what you say about once a decade - usually whenever there is a major windows upgrade in-progress (we tend to go with about every other version). I heard countless stories about how with Win7 we'll go with only being able to install packaged software (before that was the story about how we'd start deploying Vista a month after it went gold - you can imagine how that went). Suffice it to say that the packaged-software-only policy died long before it came to rollout time, and even that policy wasn't really a true whitelisting policy (as in with robust code-signing and all that).

When you have tens of thousands of employees it is REALLY hard to stay on top of what all of them do. Inevitably there is some group of 5 people doing something important, but due to whatever wind of politics in effect at the time they fall in some crack in the IT org structure so nobody is responsible for looking after them, and they get missed in some survey. Then somebody tries to lock things down, or tell them they can't do any IT projects due to lack of budget or whatever. The group just complains to their manager who realizes the company would have a serious problem if they weren't able to work, and the policy is simply worked around. They'd buy PCs from the office supply store down the road if that were what it took. It obviously doesn't get that far before some VP screams at somebody and the IT guys back down and give them admin access on a PC or whatever.

Don't get me wrong - I agree that it is completely possible to do things the way you propose doing them. It actually isn't 100% secure even with whitelisting since your whitelisted code could have exploits (just look at gaming console hacks - you might not be able to persistently hack it without breaking signatures but a game with a buffer overflow can still be exploited in RAM until it is patched). But, you can keep bad stuff off of disks so that the system is clean on each boot, and block future attacks with patching.

However, until we get to the point where a company simply can't stay in business without that level of security, there will be tons of pressure to not implement it. Maybe if every big company had a Sony-style attack once a month on average you'd see it happen.

Re:It doesn't matter matter who did it

[Karmashock]

Saying that employees need general access to the internet is hard for me to believe. In most cases they don't.

And really some distinction should be made between high security environments and low security environments.

So for example, I'm quite happy to set up an alternate wifi network that is largely unrestricted. Any machine that connects to that network will be airgapped from the secure systems.

if you want to facebook on that network with your own machine that is fine. You will have no access to the file servers, corporate email, or the databases from that network.

I've seen employees use their phones to access the open wifi network and check their social media bullshit. I'm fine with it. But you don't do it on the company system. Or I will cut you.

As to what level of security you need... the issue is do you care if you get breached or not? That's the question. This sort of security is not expensive. It takes discipline more than anything. But its not hard to set up and actually easier to maintain. No worms. No viruses. No malware. No idiot employees fucking the machines up. You really don't have to do anything once you've see it up actually. You can just go on vacation.

My job mostly consists of telling people "no" at this point. They say "can I install my bullshit on my workstation?"... No you can't. Any further stupid questions? And the ask me because they TRY to do it first without asking me. The systems won't let them so they come to me and say "hey can you unlock the machine"... and ask them what they want it for, and then tell them that any request for additional shit on their machines has to be approved by management.

Since what they tend to want to install is itunes or something... you can imagine that their managers etc are not especially inclined to back them up.

We provide a few literal gaming machines in the break room... with steam accounts that have quite a few titles and I'm happy to add stuff to the list so long as people are reasonable about it.

On your break you can go in there and do what ever you want on those machines. They're rarely all full and I have have an isolated wifi network that anyone in the office and use with their own laptops/phones/tablets to do whatever the hell they want.

The workstations don't even have wifi cards in them and will not permit the installation of wifi card drivers without my permission. Had a guy try to plug a portable USB wifi dongle into a workstation. He came to me and asked why it wouldn't work.

I was polite to him... but there was a part of me that wanted to tie him to a pole and give him at least 30 lashes.

As to tens of thousands of employees... wrong. You do not have tens of thousands of employees. You have user permission levels.

So lets say the accounting department needs access to the corporate database. Okay, what sorts of people work there and what kinds of access do they have? You break people down into groups. And then you give the groups access to things.

You do that and it scales quite nicely. Its very manageable.

I have workstation templets for perhaps 20 different user loadouts despite having well over a thousand users. And nearly all the user templetes are for management people that just want exceptions and have enough clout to demand it.

Nearly all users use the same template. Literally about 95 percent of all my users are using ONE template. So I don't have to worry about checking on what 10,000 employees are doing. I just need to check ONE template.

What is more, whenever they try to do ANYTHING that isn't authorized, it gets entered into a log file. Literally anything. They try to get access to a file they don't have access to.. .they try to access the internet to do something they're not supposed to do... anything and it gets put in a log file.

The scripts that run that process will sort the log by the severity of the issue. I glance at the logs every week or so. But the systems will send me a text message when

Re:It doesn't matter matter who did it

[Rich0]

As to tens of thousands of employees... wrong. You do not have tens of thousands of employees. ... You break people down into groups. And then you give the groups access to things. You do that and it scales quite nicely. Its very manageable.

Maybe that works well in whatever line of business your employer is in, but my employer really does have tens of thousands of employees, and there are pockets of maybe a dozen all over the place that do things that nobody else in the company does. I can think of one department of about 500 that doesn't have more than 10 people doing any particular job.

We take a top-down approach to major applications and data repositories, but it really breaks down when you try to apply it to every little tool or website people use to get their job done. At least, not unless you want to hire a LOT more IT folks.

Re:It doesn't matter matter who did it

[Karmashock]

It works in any application.

If you want to have people that are outside the bubble... then you just give them their own network that is outside the bubble. They can virus the fuck out of themselves and that is their own problem. They won't infect the other systems because they're segregated.

If they need access to those systems then they can either specify their needs or pound sand.

having lots of IT people is not required. You just need to be really good at saying "no" when they ask for shit they don't need. Which is pretty much always.

You say you have little pockets of people doing odd stuff. Fine... but what are they actually doing? Lets go through some test cases. I'm telling you... if you're systematic about it, then you can boil everything down to a few core applications.

I have a peer that works for a corporate bank and he does it the same way. The bank has a million departments. But they all need access to the same stuff.

He gives users access to whatever on the internet. Even facebook or porn sites. He does track everything though so when they go to those sites he can leverage the fact to get them to stop acting like assholes.

But he only allows specific programs to access specific ports. And there is no executable code permitted to run that is not approved.

So his security is lower than mine normally. But it is vastly higher than what is getting busted in these articles.

Look, if you don't lock the systems down, then you deserve the consequences. Good, hard, and from behind.

Re:It doesn't matter matter who did it

Wait wait wait wait wait....

So I'm right? I said X is how it is done.

And you respond with "Of course X is how it is done, I can't believe you didn't know that that is how it is done."

What you're not getting is that my point is that non-technical people are put in charge of computer systems. And you said I was wrong... and then I showed you a big example of it... and you said "of course"...

So I'm right.

Thanks! We're done. You bore me.

I did not agree with your example.
I did not agree with you that the head of the NSA is a non-technical person.
Michael Rogers is a technical person, it's his entire career.
Your claim is still wrong.

I do not agree with your claim that I say "of course that's how it's done". You got it backwards, and I'm telling you that you got it backwards.
That is the opposite of agreeing with your statement.
Is not that Admirals get put in charge of the NSA, it's the other way around. The head of the NSA gets promoted to Admiral (or General) if they aren't already.
Rogers career was technical first, was Admiral second.

If they made Karmashock Director of the NSA, then Karmashock would get promoted to Admiral.

You cannot assume that because a person has a military background or is high ranking that he is a non-technical person.
Here's an example.
http://en.wikipedia.org/wiki/G... [wikipedia.org]

Remember saying this?

Cite one, shortstack and I'll either admit error and thank you for the correction or correct you and expect you to thank me for that correction.

I knew you were lying when you said you would admit error.
You need to look at yourself.

Re:It doesn't matter matter who did it

[Karmashock]

I grant the point you're making. However, I would argue that someone with a bigger practical background in hacking would be better. I also don't agree that they should be pulling people from other branches to run the NSA or CIA. The intelligence branches should be run by people from the intelligence branches.

My central thesis however is not damaged by this point. We could spend years trading examples and counter examples.

Your position rests on the notion that computer systems are not subject to judgments from people that don't understand them.

My position rests on the notion that computer systems are routinely subjected to judgements from people that don't understand them.

If I made an error, was in underestimating the tenacity with which people will sometimes defend stupid arguments.

Re:It doesn't matter matter who did it

[Rich0]

Look, if you don't lock the systems down, then you deserve the consequences. Good, hard, and from behind.

What consequences would those be? 99% of big corporations have never had a high-profile hacking attack, and they don't do any of the stuff you recommend.

Of the 1% who have had high-profile hacking attacks, I doubt the results cost them all that much. Ok, all your customer credit card numbers are on the web. That costs them money. It doesn't cost you money.

Re:It doesn't matter matter who did it

[Karmashock]

Sure, lets conflate all corporations as equally needing of security.

That's a good place to start an argument if you want it to get ripped to fucking shreds.

If your company makes baby bottles than you don't need the same security as if you make ICBMs or manage accounts that total into the TRILLIONS of dollars.

We can assume that some organizations are in need of more security than others.

And as to the consequences... you're basically just using Sony's justification for having shit security. They literally said in the memos "we're not spending 10 million to avoid 1 million in damages"...

well, it doesn't cost 10 million to secure these systems and the damages have well exceeded 1 million dollars.

Your risk assumptions are flawed.

Re:It doesn't matter matter who did it

[Rich0]

Your risk assumptions are flawed.

An opinion that most big corporations do not seem to share, judging by their actions.

Recently my corporation bought out a competitor and we ended up utilizing many of their IT systems, since they had received substantially more investment. Some suggested that it was evidence that our IT strategy was wrong, but you could just as easily argue that it was spot-on since we were the ones buying them out. All that money spent on improved IT is money not spent on other things.

Re:It doesn't matter matter who did it

[Karmashock]

Indeed. Nor many branchs of the US government.

Apparently the portion of the US government that keeps track of government employees with security clearance didn't have any IT security team until 2013.

Your argument is now that "well people in charge don't agree with you so you must be wrong."

This is an appeal to authority. A common logical fallacy and the fact that you relied on it means you're something of an idiot.

My point rests on the notion that these systems can be secured cheaply at the price of limiting funcionality to actual NEED. So for example, my systems can't go on facebook. They can't connect to your private email. You can't do you your personal banking... and they're basically just not YOUR personal machines. they are the company's or the government's machines. And they do what either organization needs them to do. But nothing else. And by limiting them to only be able to do what they need to do, hacking them is almost impossible.

For example does workstation 1 need to talk to workstation 2 directly? No? Then disallow that so that workstations can only talk to the servers directly... and all communications to workstations occur indirectly with the communication being bounced through the server. Set this up at an appliance/hardware level. Most enterprise routers will let you do this.

Little things like that make infecting machines with worms a lot harder because you have to infect the server to spread a worm from workstation 1 to workstation 2. If the Server will not run any code or script that hasn't been authorized by the admin then spreading a worm is almost impossible right there. Yes, a workstation might get a worm. But it will be isolated on one machine.

And that is a very simple security measure that the user won't even notice but which makes the network a lot more secure.

I do stuff like that... and it means a lot of my users don't like me.

I'm referred to as "Dr No."... because I mostly just tell them no when they ask to do stupid shit. And of course I'm evil and want to take over the world... and I have metal robot hands.

Re:It doesn't matter matter who did it

[Rich0]

Your argument is now that "well people in charge don't agree with you so you must be wrong."

Somewhat. I do get your argument, and I don't wholeheartedly disagree.

The problem is competition. Spending on security costs money. If you do it, and your competitors don't, then they're investing in something that you're not. Unless your competitors actually suffer a serious loss as a result of their choice, then you're going to be at a disadvantage.

Hacking attacks aren't so common yet that security investment provides protection in the marketplace.

Think of it this way. You have 10 competitors. You spend more on security and you're guaranteed to not be taken out by a hacker (for the sake of argument). Your competitors don't make that investment, and they outpace you in other areas. Then along comes a big hacking attack and 3 of them go out of business. That leaves 7 competitors who are still eating your lunch because they went cheap on security. Unless you can last long enough that they're all taken down by hackers, your investment won't pay off.

That said, I do think that things will probably get worse before they get better. If things really got to the point where companies simply couldn't operate without decent security you'd see it prioritized.

For the most part I get paid to deliver software. I'd rather do it right than do it cheap. The problem is that I'm rarely given the time to do things as well as I'd like to, and the mantra is "good enough." In order for "good enough" to include robust security, there needs to be a major culture shift in boardrooms.

The other issue is Schneier's Law. A lot of IT folks can't conceive of how their software could be vulnerable. A lot of stuff gets sold with buzzwords like "encryption" with huge conceptual issues that make it useless in practice. For the most part executives just want plausible deniability. Schneier's Law rather conveniently gives them that.

Re:It doesn't matter matter who did it

[Karmashock]

1st, it isn't that expensive.

The notion that security is expensive is largely a product of hiring people that don't have the training to do it properly. The result is that you have to hire a lot of unproductive people or use a lot of consultants that basically do the job for the your IT staff.

The real cost of security is political and not economic.

An outfit with proper security has the security team in much the same position as a doctor has on a naval ship. That is, within their sphere of expertise, they cannot be overruled... even by the captain of the ship.

What this means is that in matters of security, the CIO must be able to overrule the CEO. And the various IT admins that are responsible for security, must be able to dictate how information flows through the network. If a manager wants to install angry birds on his workstation, then you have to be able to tell him no.

I had one collegue that had a pretty big IT petty cash fund. And he'd use it to amongst other things to buy ipads for senior managers that demanded they be able to conduct personal business company systems. He'd get an ipad, connect it to the isolated wifi network that didn't connect to anything but the internet. And then he'd hand them an ipad that linked to it.

Its a lot cheaper to hand someone in power an ipad than it is to compromise the entire security system so that the fucktard can do social media or personal email on company hardware.

This is not expensive. It requires political power and disapline. That is... you cannot compromise. You explain to the banker, that it makes about as much sense to comply with what he's asking as it would be to give someone an excessive loan that you know they couldn't pay back.

You have to go around and explain it to these people in terms they understand. So they get that your sphere has certain constraints and objectives and it would be as sensible for me to let Joe use his personal email on the workstation as it would be for Joe from marketing to promote the competitor's product in our own paid ad campaign.

Its dumb. You explain that it is dumb. And by preventing people from doing dumb stuff the network is actually very secure.

I can go through a lot of different very simple things that don't cost money but secure the network very tightly.

As to software people not understanding how their software can get compromised, that just means they don't have a resident hacker. In most cases you don't need more than one. It isn't expensive. You just have ONE guy that is paid to fuck with your code.

These people are best if they're not consultants because they have to work with your staff in the long term. Personal relationships are also important. People need to understand "oh, that's right, Jeff will fucking make an ass of me if I submit this code. What did he show me the other day? Oh that's right, if I code it this way it will not be bypass the encryption if he pokes the program with a stick."

It isn't expensive.

It does cost "something" but so does the legal department and the accounting department.

Why does the company spend money on a team of lawyers? Because they're afraid of lawsuits, because they need the legal team to draw up contracts, because the legal team understands how to comply with laws, etc.

A lot of stuff. And it all comes out of the bottom line. Yet companies have these legal teams because they understand that they have to have them. And companies without them get sued, fuck up contracts, and get fined by the government.

The IT security department is useful for similar reasons. Only they're a lot cheaper and benefit the quality of your product a lot more.

A product that cannot be hacked if used properly is very valuable. You will trust it in more extreme situations. Life and death. And if your product is competitive in the life and death market then you can charge a lot more.

Think of medical tech. Is it doing anything more than most consumer grade tech of a similar nature? Not rea

Re:It doesn't matter matter who did it

[Karmashock]

The NSA doesn't permit you do that. Why do you think that is?

In fact, they don't let you bring a phone into some areas PERIOD. Not any kind of electronics what so ever.

Why? Because they know something you don't. That's why.

And they should be priming the rest of security apparatus to grasp the ACTUAL vulnerability of these systems especially when attacked not by shithead 12 year old scriptkiddies but actual state sponsored hacker corpse.

The entire conceit of a SCIF is that the information inside is protected. But is it actually? Or is it just security theater for the fucktwits?

Re:It doesn't matter matter who did it

[Rich0]

The notion that security is expensive is largely a product of hiring people that don't have the training to do it properly.

People who can do it properly are more expensive to hire than people who cannot. There aren't really that many of them compared to the number of people who really need to understand security to make this sort of thing work.

What this means is that in matters of security, the CIO must be able to overrule the CEO.

You're basically just giving the CEO the job title of CIO - it doesn't really change anything.

Personal relationships are also important. People need to understand "oh, that's right, Jeff will fucking make an ass of me if I submit this code. What did he show me the other day? Oh that's right, if I code it this way it will not be bypass the encryption if he pokes the program with a stick."

Ah, so employees will be afraid to screw up. I've seen that kind of culture in action. You're right that rules don't get broken. Granted, little that is productive gets done either. Companies don't just want employees who are afraid of getting in trouble. They want to outperform the competition.

Here you might say "but some companies don't need that much security"... doesn't really matter. The security itself is cheap. You just limit the operation of the system to what you need to do and then encourage employees to BYOD for personal shit. The BYOD stuff will not connect to company machines. It isn't expensive.

So, first of all I know plenty of people in the kinds of industries you've mentioned (healthcare, medical devices, aircraft, banks, etc) and for the most part they don't block the kind of activity on their networks that you advocate blocking. For the most part the data integrity of the products they make doesn't depend on whether or not you can access google from a company PC.

Second, unless you move to a pure whitelisting strategy attempts to enumerate badness are bound to fail. You can't just block every webmail provider on the planet. If you do want to whitelist then you run into the problem where there are new websites that people need to access all the time, and dealing with that is expensive (both in terms of admin overhead and lost productivity while people wait). And if you make the system super-onerous then people will just work around it (using personal addresses/etc to conduct business and the like). Also, most big companies are sending so much data to so many third parties your efforts aren't worth much unless you get them to secure all their networks in the same way. I've seen plenty of consultants who use gmail.

Re:It doesn't matter matter who did it

[Karmashock]

No they're not because you don't have to hire as many of them.

This is something you learn very quickly in development or any kind of skill. Pros cost more per hour but they're a LOT faster. First they don't fuck around trying to figure out how shit works. They already know. Second, they know a lot of tricks and short cuts to speed up production. Third... ever seen a master painter work? He doesn't make mistakes. The paint goes where he wants it to go and no where else. It looks exactly the way he wants it to look. The first time. Every time.

Someone that knows what they're doing with security is the same way. There's no fucking around. There's no need for a huge IT staff so all the fucking chimps and try to randomly type in a Shakespearean sonnet. He doesn't need any of that. He just does what has to happen the first time. He's fast. He's efficient. And he's effective.

Masters have cons. They expect respect. You start mouthing off to a master in his field about his field and he's going to cut your legs off.

But if you want it done right, you hire one of those guys and be glad to have them. To economize you put some lower skilled techs under him to be his assistants and they learn his trade over time.

It is a tried and true system for vocational skill transfer.

rotfl

[phantomfive]

And of course, each political party was quick to blame each other.
Democrats immediately blamed Republicans saying they wouldn't spend enough:

"The latest intrusion points to the need for Congress to pass a cybersecurity bill, White House Press Secretary Josh Earnest said....Congress has yet to act on the personnel agency’s Feb. 2 request for a $32 million budget increase"

And of course, Republicans blamed the lack of leadership:

“Where is the leadership? The federal government has just been hit by one of the largest thefts of sensitive data in history, and this White House is trying blame anyone but itself. It’s absolutely disgusting.”

Re:rotfl

[Fire_Wraith]

While you can't just blindly throw money at a problem, it is part of the issue. Seriously, would you want to work for the Federal Government in cybersecurity? About the only advantage it has is that you can't be replaced by an H-1B, and perhaps the fact that there's a pension (that a certain party would love to take away from you). If you try to get by with not paying for the best security personnel, you shouldn't be surprised when you don't get the best security personnel. The pay is comparatively low, the working conditions and locations generally suck, and let's not even start on how intrusive it gets with your personal life. You get to be a political punching bag and the butt of everyone's jokes, too. But hey, I guess it's job security.

I used to know some guys who worked for US-CERT, or similar parts of the government, who were pretty smart and technically savvy. Pretty much every one of them left, and went somewhere better in the corporate world for more money, better opportunities, and such. And that's exactly what I'd expect to keep happening.

Re:rotfl

[phantomfive]

While you can't just blindly throw money at a problem, it is part of the issue.

You are right, but increasing the budget by $32million in 2016 was not relevant to this break in.
Politicians are merely looking for excuses to blame each other, they aren't presenting actual solutions.

Re:rotfl

[Opportunist]

A criminal record, against what the average idiot out there thinks, is not a recommendation letter.

It means you were stupid enough to get caught.

Re:Surprise, Surprise!

[smittyoneeach]

It would be tantamount to a declaration of war, if my amateur grasp of international law isn't too far out in the Spratleys.

Technical details of intrusion

[nickweller]

Are there any links to actual technical details regarding the hack.

Re:Technical details of intrusion

[ColdWetDog]

Are there any links to actual technical details regarding the hack.

Umm. Citizen. That's not a particularly fruitful line of inquiry, if you catch my drift.

Re:The only way to stop this

[smittyoneeach]

You'd have to be prepared for the fertilizer to hit the air circulator before a stunt like that.
I'm not surmising that #OccupyResoluteDesk has either the sack to order such an attack, or the sack content to deal with the fallout.
If a crisis involves doing more than showing up and delivering a speech in his Barry-tone(TM) voice, BHO just hasn't proven himself up to the task.

Perimeter security

[ScrewMaster]

So, they're only now acknowledging that perimeter security alone cannot prevent security failures?

And these are security experts?

Re:Surprise, Surprise!

[fustakrakich]

It would be tantamount to a declaration of war...

*Sooo, you refuse to shake my hand, eh?*

Re:The only way to stop this

[fustakrakich]

BHO just hasn't proven himself up to the task.

What, he isn't as good as the other guy at making up lies to get us into war?

Surveillance

[Livius]

Oh! If only the government had destroyed even more freedom and tightened the surveillance state! When will we ever learn?

Re: China denies denying the denial

[mSparks43]

wasn't the nsa installing hardware back doors in all the Cisco kit.

don't see how they can then go onto to complain someone actually worked out how to use them.

Re:The only way to stop this

[ShanghaiBill]

Is for the US to punch back twice as hard.

Another way to stop it would be for the US govt to properly secure their servers.

OK, totally.

[tlambert]

Seriously? They absolutely would not hire me because I have practical experience which blacklists me from being hired by them.

OK, totally.

They have second stringers, at best.

Re:OK, totally.

[Fire_Wraith]

Some good people pass through there. Note that I said pass through, because the best and brightest tend to not stay around - once they find something better, they move on. The few good ones that do stay are the rare exception.

Part of the problem, too, is that in an organization that largely promotes from within, if you aren't retaining the best members of your staff, you wind up with another problem in people tend to get promoted based on longevity rather than being particularly good at the job or suited for the promotion. And then when those people are the ones making the hiring decisions, well...

Re:Surprise, Surprise!

[Spy+Handler]

Their denial by itself doesn't mean much, since as you say they would deny it if they were responsible or not. However in this case it's quite possible they had nothing to do with it. Cyber criminals living in China != government of PRC

What would the Chinese gov't possibly want with the data stolen from Office of Personnel Management? Use the employee names and social security numbers to make stolen credit card purchases? Commit identity theft and take the employees' tax refund checks?

The type of data stolen here doesn't mesh with the stuff Chinese gov't usually steals: high tech industry data to help their domestic industry, military secrets like plans to the F-22, etc. It seems unlikely they would use up a zero-day exploit to break into a employee database and steal social security numbers.

Re:what does this have to do with weather

[Opportunist]

It's an honest mistake. He comes from a country where the news are basically the government's mouthpiece.

Re:The only way to stop this

[fustakrakich]

"passive-agressive rodeo clown"

Still reciting the Official Narrative, I see.

Re:Surprise, Surprise!

[penix1]

I tend to agree with your evaluation but want to add...

Why on Earth doesn't the government simply drop all packets coming form or going to their infamous lists? What is the reason to allow an IP originating from China to access OPM? Don't get me wrong. From what I read earlier this thing was malware installed in December and not found until April. Still, any packets coming or going to a Chinese IP address should be dropped at the router. Black hole them in other words.

China did it, end of story.

[sethstorm]

The requisite denial by China says it all.

Nope, but actual evidence exists for PRC & Nor

[sethstorm]

Scratch Huawei anything and you'll see Nortel & PRC military markings under it.

Re:Surprise, Surprise!

[KGIII]

Whhheeellllpp..... I believe China now. As for why? Who the hell knows, this is CHINA. It does not have to make sense.

Cut the Crap

[rtb61]

"the Pentagon decides it's time to deploy an "offensive" cyberattack later on down the road." lets drop that bull right off the bat. The correct statement should read ' When the Pentagon again gets caught deploying "offensive" cyberattacks". They have already been exposed all over the place. The law is categorically clear, hacking into networks, espionage, is an attack and the US has been exposed attacking every one, every single person on the planet on every single network on the planet. From US politicians investigating them, to some geek hunting for aliens, to some kid copying software, to political leaders emails to corporations trade secrets, well, to every single possible digital communications.

There is just no way the US government can deny all attacks are payback for what they have done and continue to do. Other countries have just remained silent about catching the US and just quietly feeding them lots and lots of false data.

The new game will be interesting. Foreign governments who understand the corrupt nature of the US government know the most effective counter attack will simply be to expose the corruption of the US government and it's corporations to the US and global public and, to throw those hugely destructive elements into chaotic turmoil. Not only for what those corrupt elements do on the job but for the even worse stuff they do off the job (corrupt at work also means being corruptly sick at play, it is just in their nature).

Re:The only way to stop this

[doug141]

Is for the US to punch back twice as hard.

Then they punch back 4 times worse?

It's a false flag op

Are you sure it doesn't matter who did it?

The Obama Administration came out and blamed China, even before they had all the facts

The whole episode smells of another false flag

This looks more like an inside job orchestrated to place blame on China (apparently China has become Hussein Obama's favorite bogeyman) to allow Obama to declare an all out war on China (they even use the word adversary to characterize China)

It won't be long before America's full attack on China begin. I guess it will happen before Obama is supposed to leave the White House, and that "full scale war against an adversary" might allow Hussein Obama to continue to be the POTUS as long as the war goes on

Re:It's a false flag op

[Karmashock]

Guy claiming to be from the DHS said that rumor in the department was that malware had been accidentally installed by some dipshit user on a workstation.

That means it isn't chinese hackers or false flags so much as government incompetence being covered up with finger pointing.

aka usual administrative ass covering.

Never label something as malice what can more easily be attributed to incompetence.

Stop using Facebook

[koan]

http://www.zerohedge.com/news/...
     

Defense Secretary Ashton Carter spoke to technology leaders in Palo Alto, California, in April, tossing around ideas for recruiting engineers for temporary missions in government and meeting with Facebook's Mark Zuckerberg.

Why is the defense sec talking to Zuckerberg? How long until you have to have a FB account to log onto the "Internet".

of corse not!

[postmortem]

Gov't lost its own records, so they hired hackers to help them find 'em.

Re:The only way to stop this

[fustakrakich]

No, the "Official Narrative" (scripted drivel) of your tribe.

Re: Dear America

Disregard that. I suck dicks.

False flag works, as planned

[Taco+Cowboy]

That bogeyman approach works, and it works splendidly!

You only have to read the comments in this thread to see how many of the fools are already completely decked up awaiting for the chance of the full scale war against China

Re:The only way to stop this

[smittyoneeach]

Still trying to peddle your "Tribe's" narrative, then?

Re:The only way to stop this

[fustakrakich]

It's not mine... It's not a 'narrative'... It's just plain fact... a normal force of nature.

Re:The only way to stop this

[Rich0]

Is for the US to punch back twice as hard. I would suggest having the NSA pillage their military system and then do a data dump at nsa.gov/china/fuckyou.torrent

The US has a lot more to lose playing this sort of game. Just tell the Chinese to get their act together and firewall their network at the border until they do.

Re: Nope, but actual evidence exists for PRC &

[mSparks43]

was definately the nsa

http://www.theguardian.com/boo...

it's why the rest of the world stopped buying electronic goods from the us almost overnight.

Re: what does this have to do with weather

[Opportunist]

Well, both, government and media, lie. One of the key features of a democracy has always been that they tell different lies.

If they're basically the same, you might wonder whether you live in a democracy.

Re:what does this have to do with weather

[gl4ss]

well it's legal for americans to hack china so why not the other way? hypocrites much?

Re:The only way to stop this

[smittyoneeach]

Hey, man: check your tribal hypocrisy privilege for microaggressive tendencies.