Slashdot Mirror
SF86 Data Captured In OPM Hack
Etherwalk writes: The security clearance process in the United States includes filling out the 127-page SF86 form, which includes things like the citizenships of all your relatives and housemates, foreign contacts and financial interests, foreign travel, psychological and emotional health, illegal drug use, and many other matters. The recent breach by the Chinese Government apparently included that information for all executive employees up to cabinet level. It's pretty much a gold mine for intelligence work and social engineering of any kind.
So, what exactly do they mean by "breach". Someone got into some systems? Once there, did they take copies of data? That's a lot of data. Why didn't anyone see the mass exodus of gigabytes? The weasel worded breathless media reports are just dripping with a lack of specificity and reek of "omg phear the evil hackerz!" - they feel more designed to generate fear than inform. I view the whole thing with a jaundiced, skeptical eye.
Sacred cows make the best burgers.
it's Out There. All of it.
The SF86 data is essentially designed to track and identify every aspect of federal employees lives and backgrounds which would make them a target of extortion or blackmail by foreign intelligence.
Instead of keeping those records in distributed and isolated/compartmentalized silos(where the scope of any individual security failure would be non-catastrophic) where the cost-to-benefit ratio of data ex-filtration was much less attractive: they consolidated all of this data in one place where a single chink in the armor would allow an adversary to acquire the sum total knowledge in existence of their entire classified documents workforce...
TLDR: Morons put the 2nd largest and most expensive collection of blackmail material in the history of mankind(The Vatican "Archives" being the obvious #1) in a single place behind a padlock("hacker proof security" seems about as elusive to find in the wild as big foot) and then act shocked when they essentially gift wrapped a knife to cut through the fog of war for APT.
The ironic implication of this now is that the best defense against security threats is to disqualify anyone who had a security clearance previously from owning one an either:
A) Clean slate. Go back to the old way of doing things(until this happens again) and get a fresh batch of leverage,err... I mean "federal employees".
or
B) Abolish the idiotic system entirely. The spying incidents which the system was designed in reaction too were conspicuous absent of any spies who would have failed the background check process.
Get rid of ITAR/USML while you're at it!
Hell, why not just say "fuck it"?
Take the MAD approach and open source everything. When Predator drones are being 3d printed in people's basement the tree of liberty should get watered way more often.
Maybe without the illusion of secrecy, the nonsense secret squirrel playground games which caused WWII and WWIII will finally stop. While China is embroiled in a domestic insurgency/civil war America can laugh all the way to the bank.
"U.S. officials privately said China was behind it."
Which officials, and why won't they speak on-record? Because they know that, stupidly, they've said that cyber-attacks could be seen as an act of war. And none of them are stupid enough to directly declare war on China on the basis of fuck-all evidence beyond "we got hacked, looked like the last hop had a whois somewhere in China".
This isn't enough to put in the papers, this isn't enough to act upon, but fuck if the US won't let *that* stand in their way.
You have NO WAY of knowing whether China are doing this, officially or not. When you do, you can make news stories and bring it up in international committees. Until then, it's some Chinese kid who's found a good source of credit card data to buy some Steam games for all the fuck you know.
Dickheads like these "officials" are either a) trying to put so much implication into people's heads that people just assume you ARE at war with China or b) have fuck-all to go on and speak carelessly and dangerously.
I'm not American, nor Chinese. But, fuck, this is a slippery slope if every time some hacker in Beijing touches your systems you're going to cry wolf and accuse China of officially stealing sensitive data.
What's the matter? Been too long since you had a decent enemy who could shoot back?
With security like this, who needs Snowden?
The NSA has been hacking pretty much everybody in the world and their little sister, so nobody should be shocked when the same thing happens to us.
The real kicker is the perennial lecture from clueless politicians about how we should put back doors into all our private sector encryption so law enforcement can take a peek whenever it likes. Because our information will be safe with the government. *snort*
Doubtful. The OPM has been negligent in this area for decades. And they are not the only agency.
A bottom - to - top review and security renovation is critically needed, and should cost closer to $100Bn than not if it's done right. Everything, from .mil and DOD to mainline agencies and even .gov customer service sites, everything.
And not a review. A complete reimagining and reinstallation.
Not going to happen in this Administration, as they fear any analysis.
The fiasco of our former Secretary of State running a private server at their own residence for official email is a example of the utter and total lack of actual information security in our government, a situation that (or should be) intolerable.
But, politics.
deleting the extra space after periods so i can stay relevant, yeah.
The only times we've ever heard of the US actually doing anything were with Stux and its variants, and that was always after they had done their damage. There really wasn't much of anything else, so there's no real way to know who's better because of the clandestine nature of these operations anyway.
At the very least, we know the Chinese are prolific, but we have no idea if the Chinese are better, the Russians, the United States, the Israelis... heck, maybe the Brits upstaged everyone. It's impossible to know.
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
... you're placing this at the feet of Republicans and Democrats when you don't know bullshit from wild honey.
OPM is not a fucking Super PAC.
It's the government. It's federal employees, managers, administrators, people who, by and large, are not subjected to turnover.
You're not going to solve this with the goddam vote.
Go home.
It little behooves the best of us to comment on the rest of us.
No, it's sulfur hexaoctacontafluoride.
He's probably referring to the amount of bandwidth used to move the data. Honestly someone should have been watching for mass uploads or downloads.
The breach occurred in December, was detected IIRC in April. Plenty of time to move data slowly and prioritize what you take, making you less likely to show a bandwidth spike.
"U.S. officials privately said China was behind it."
Which officials, and why won't they speak on-record?
An on-the-record statement is a much bigger diplomatic statement. We don't usually speak on-the-record about the hostile or criminal acts of a foreign power unless we have a very good diplomatic reason to. We know that Putin backs Kaderov, a thuggish head of state who personally tortures people on exercise equipment and disappears reporters critical of his regime, but it would be unusual to have the White House announce that Putin was doing that. It would also require us to be prepared for the inevitable PR backlash based on US torture at Guantanamo Bay, for example. If we make a public announcement, China is more likely to engage in more severe public criticism of us.
International relations turn out to be more complex than "let's call the other guys on their shit."
SF86 data is extraordinarily sensitive. What they mean is that the attackers made off with a database of the financial problems, drug habits, family problems, hidden crimes, and sex fetishes of anybody that's working on anything sensitive.
Shouldn't that kind of stuff be only on paper, locked inside some kind of... you know... financial problems drug habits family problems hidden crimes and sex fetishes room?
Tabloid fascination with personal problems or consensual crimes, 'sin' for short --- this whole ability to ruin someone by leaking factual information --- is a known vulnerability of the human condition. One no one wants to fix (it involves losing the moral high ground) or even admit that it is a problem. This means past indiscretions can through blackmail, be used by murders to conceal their crimes, or even drive a blackmailed sociopath on by degrees, to commit murder. In the best of cases it hands the rudder to the most oafish bullies, for the dumbest of reasons. And some brilliant and capable, even trustworthy people find themselves in shit.
Looks like the USG has handed over it all. Beware, my friend, shit winds are a-comin'
I recommend Peter McWilliams' book AIN'T NOBODY'S BUSINESS IF YOU DO: The Absurdity of Consensual Crimes in a Free Country, placed on the web with the deceased author's permission, to help sort out (culturally) what should be an actionable --- or blackmail-worthy --- crime. Also check out this (failed) submission on the DEA and my suggestion to implement duress codes (like a blackmail canary) into society.
<blink>down the rabbit hole</blink>
Actually we DO know that China was able to hack the US government networks multiple times and retrieve top secret information, including the F-35 blueprints ( www.rt.com/news/223947-snowden-pentagon-china-hack ). We have no proof that the opposite happened.
You'd have said the same thing about the US/UK cracking Enigma during WW2.
The Chinese might very well be better at this stuff than the US. However, we really have no way of knowing. These sorts of things tend to be covert in nature, and sometimes it is in your interests to brag, and at other times it is in your interests to play your cards close to your chest.
China flexes their hacking skills while security researchers in the USofA worry they'll be jailed as terrorists by their own government?
Yup, I see no problem here.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit