Slashdot Mirror
SF86 Data Captured In OPM Hack
Etherwalk writes: The security clearance process in the United States includes filling out the 127-page SF86 form, which includes things like the citizenships of all your relatives and housemates, foreign contacts and financial interests, foreign travel, psychological and emotional health, illegal drug use, and many other matters. The recent breach by the Chinese Government apparently included that information for all executive employees up to cabinet level. It's pretty much a gold mine for intelligence work and social engineering of any kind.
So, what exactly do they mean by "breach". Someone got into some systems? Once there, did they take copies of data? That's a lot of data. Why didn't anyone see the mass exodus of gigabytes? The weasel worded breathless media reports are just dripping with a lack of specificity and reek of "omg phear the evil hackerz!" - they feel more designed to generate fear than inform. I view the whole thing with a jaundiced, skeptical eye.
Sacred cows make the best burgers.
The SF86 data is essentially designed to track and identify every aspect of federal employees lives and backgrounds which would make them a target of extortion or blackmail by foreign intelligence.
Instead of keeping those records in distributed and isolated/compartmentalized silos(where the scope of any individual security failure would be non-catastrophic) where the cost-to-benefit ratio of data ex-filtration was much less attractive: they consolidated all of this data in one place where a single chink in the armor would allow an adversary to acquire the sum total knowledge in existence of their entire classified documents workforce...
TLDR: Morons put the 2nd largest and most expensive collection of blackmail material in the history of mankind(The Vatican "Archives" being the obvious #1) in a single place behind a padlock("hacker proof security" seems about as elusive to find in the wild as big foot) and then act shocked when they essentially gift wrapped a knife to cut through the fog of war for APT.
The ironic implication of this now is that the best defense against security threats is to disqualify anyone who had a security clearance previously from owning one an either:
A) Clean slate. Go back to the old way of doing things(until this happens again) and get a fresh batch of leverage,err... I mean "federal employees".
or
B) Abolish the idiotic system entirely. The spying incidents which the system was designed in reaction too were conspicuous absent of any spies who would have failed the background check process.
Get rid of ITAR/USML while you're at it!
Hell, why not just say "fuck it"?
Take the MAD approach and open source everything. When Predator drones are being 3d printed in people's basement the tree of liberty should get watered way more often.
Maybe without the illusion of secrecy, the nonsense secret squirrel playground games which caused WWII and WWIII will finally stop. While China is embroiled in a domestic insurgency/civil war America can laugh all the way to the bank.
The NSA has been hacking pretty much everybody in the world and their little sister, so nobody should be shocked when the same thing happens to us.
The real kicker is the perennial lecture from clueless politicians about how we should put back doors into all our private sector encryption so law enforcement can take a peek whenever it likes. Because our information will be safe with the government. *snort*
Doubtful. The OPM has been negligent in this area for decades. And they are not the only agency.
A bottom - to - top review and security renovation is critically needed, and should cost closer to $100Bn than not if it's done right. Everything, from .mil and DOD to mainline agencies and even .gov customer service sites, everything.
And not a review. A complete reimagining and reinstallation.
Not going to happen in this Administration, as they fear any analysis.
The fiasco of our former Secretary of State running a private server at their own residence for official email is a example of the utter and total lack of actual information security in our government, a situation that (or should be) intolerable.
But, politics.
deleting the extra space after periods so i can stay relevant, yeah.
The only times we've ever heard of the US actually doing anything were with Stux and its variants, and that was always after they had done their damage. There really wasn't much of anything else, so there's no real way to know who's better because of the clandestine nature of these operations anyway.
At the very least, we know the Chinese are prolific, but we have no idea if the Chinese are better, the Russians, the United States, the Israelis... heck, maybe the Brits upstaged everyone. It's impossible to know.
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
No, it's sulfur hexaoctacontafluoride.
He's probably referring to the amount of bandwidth used to move the data. Honestly someone should have been watching for mass uploads or downloads.
The breach occurred in December, was detected IIRC in April. Plenty of time to move data slowly and prioritize what you take, making you less likely to show a bandwidth spike.
SF86 data is extraordinarily sensitive. What they mean is that the attackers made off with a database of the financial problems, drug habits, family problems, hidden crimes, and sex fetishes of anybody that's working on anything sensitive.
Shouldn't that kind of stuff be only on paper, locked inside some kind of... you know... financial problems drug habits family problems hidden crimes and sex fetishes room?
Tabloid fascination with personal problems or consensual crimes, 'sin' for short --- this whole ability to ruin someone by leaking factual information --- is a known vulnerability of the human condition. One no one wants to fix (it involves losing the moral high ground) or even admit that it is a problem. This means past indiscretions can through blackmail, be used by murders to conceal their crimes, or even drive a blackmailed sociopath on by degrees, to commit murder. In the best of cases it hands the rudder to the most oafish bullies, for the dumbest of reasons. And some brilliant and capable, even trustworthy people find themselves in shit.
Looks like the USG has handed over it all. Beware, my friend, shit winds are a-comin'
I recommend Peter McWilliams' book AIN'T NOBODY'S BUSINESS IF YOU DO: The Absurdity of Consensual Crimes in a Free Country, placed on the web with the deceased author's permission, to help sort out (culturally) what should be an actionable --- or blackmail-worthy --- crime. Also check out this (failed) submission on the DEA and my suggestion to implement duress codes (like a blackmail canary) into society.
<blink>down the rabbit hole</blink>
China flexes their hacking skills while security researchers in the USofA worry they'll be jailed as terrorists by their own government?
Yup, I see no problem here.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit