Slashdot Mirror
US Lawmakers Demand Federal Encryption Requirements After OPM Hack
Patrick O'Neill writes: After suffering one of the biggest hacks in federal history at the Office of Personnel Management, the U.S. government is sprinting to require a wide range of cybersecurity improvements across agencies in order to better secure troves of sensitive government data against constant cyberattacks. The top priorities are basic but key: Encryption of sensitive data and two-factor authentication required for privileged users. Despite eight years of internal warnings, these measures were not implemented at OPM when hackers breached their systems beginning last year.
The calls for added security measures comes as high-level government officials, particularly FBI director James Comey and NSA director Adm. Mike Rogers, are pushing to require backdoors on encryption software that many experts, like UPenn professor Matt Blaze, say would fundamentally "weaken our infrastructure" because the backdoors would be open to hackers as well.
The calls for added security measures comes as high-level government officials, particularly FBI director James Comey and NSA director Adm. Mike Rogers, are pushing to require backdoors on encryption software that many experts, like UPenn professor Matt Blaze, say would fundamentally "weaken our infrastructure" because the backdoors would be open to hackers as well.
Back doors are line anal sex. Once you've lubed up, anyone can enter.
The world's burning. Moped Jesus spotted on I50. Details at 11.
As the revelations about the failure of the IRS to fulfil the requirements of email archiving law showed, the executive branch doesn't do things just because it's told to. Let's hope this one's got teeth; a breach of a system that has not been secured according to the regulations will result in the loss of pension of all those in the chain of command above the person responsible? Sadly, hanging, drawing and quartering isn't allowed any more...
Since they have been telling us how encryption makes the government weaker (in the hands of americans) yet NOW they want to keep it all to themselves????
yeah.... too bad
have you seen my sig? there are many others like it but none that are the same
That, after statements like "The government shouldn't be hampered by encrypted communications"?
Everyone, get the popcorn ready. The government will end up contradicting itself in so many ways. This will be amazing.
and then everyweekend get a group of people together to break and leak all the encryption. field day for tinfoil hat people and maybe the government will learn their lesson after getting hacked all day everyday.
For crying out loud, the first step in creating any kind of a secure software environment is to use OpenBSD.
OpenBSD takes security more seriously than pretty much every other OS out there. Security isn't an afterthought with OpenBSD; security is the primary focus of its developers. Its code is thoroughly reviewed, with the OpenBSD developers even forking and fixing external libraries when external code doesn't pass muster.
If you claim to take security seriously, then I think your only choice is to be using OpenBSD.
I mean, if it's good for us plebes and all ...
Lacking <sarcasm> tags,
Please stop making me load every page twice on mobile... I don't see your freaking ads anyway.
cuz rulez f1xx0rz all sh1t
Back doors, side doors, front doors, and they'll leave the Windows open!
You know, they could just collect and hoard less data...
(Or as the Russians apparently have done, revert more sensitive systems back to paper and typewriters.)
Encryption can certainly help, preventing storage of data in plaintext, but it's not a silver bullet. The information must, at some point, be decrypted either to perform a computation, display to users or more generally to be processed automatically by electronic data systems. However, the really thorny problem with large encryption roll outs is key management. Centrally managing large numbers of secret keys and distributing them to the right people securely without breaches is a much harder problem than it might seem at first glance. In fact, most cases of "broken" encryption known to the public are the result of pilfering the keys, not breaking the crypto algorithms. With many strong ciphers now freely available, attacks against key management, not the encryption algorithms themselves, are probably of greatest interest to intelligence agencies, including our own NSA. Encryption helps, but we have to prevent attackers from getting in and exfiltrating data in the first place, encrypted or not.
who have no idea how technology works
OpenBSD, as the development model fanatic known everyda7...RedefIne posts. Therefore
The whole second paragraph about "calls for added security measures" is unnecessary FUD. The link goes to an article written at the end of April and could be interpreted as countering the good idea for enhanced security in the first paragraph -- a "backdoor" to the government's own data would be the two-factor authentication called for.
Pat, we all agree that forcing gov't backdoors in *all* encryption is a bad, bad thing. Not every submission needs to mention it and you sometimes just weaken your argument by poor writing.
Mr O'Neill wants to point out the apparent hypocrisy of the need for government encryption against the world and backdoors to encryption for its citizens.
He implies that you can't have one if you don't have it for the other.
Someone in Congress should point out that the intelligence agencies have a duty of care to its citizens to protect them and that means profiling them with backdoors legally obtained under current provisions of the constitution. The protection of the government agencies against intrusion by foreign powers should be hardened as much as possible.
So this is an opinion piece. The question here is do the citizens trust their own policing?
If they do, then the backdoor policy should go ahead because you have nothing to hide, do you?
If they don't, then push for the same level of privacy that the government demands for itself, allowing for terrorists to operate freely.
Cows are already out the barn door at OPM. Priority ought to be securing other .gov sites right away. What a fucked up mess!
Before this is over, you'll be lucky to keep secret what's in your head.
(Programmers don't have much of a lobby like the NRA)
It is no secret that the governments of the world are incompetent, run by C grade leaders and functionaries.
Folks who get a thrill weaponizing local police. And telling nerds not if, but when they will outlaw encryption algorithms.
Because THEY are the only ones that can be trusted (when they're not checking the license plate scanners to see where their girlfriend was last night).
The only thing they know how to do is print money. And blame others:
'Look over there that OTHER person/country/organization/theory/weapon/ is the problem.'
'It is not the D's or the R's who are the cause of your descending standard of living.'
'We are not responsible for next generation being unable to think critically.'
Programmers are their natural enemy because we can intercept their secrets.
Unmask their affairs.
Question their asinine assumptions statistically.
Create trustworthy non-inflatable money supply that is borderless and the worst sin: taxless.
We can't be trusted with even 8MB of real memory on a CNC (talk with Fanuc if you're interested)
and in the near future we must be licensed and accounted for at all times. Maybe jailed pre-emptively.
They'll do their best to mess up programming profession (One of U.S.'s fairly successful industries) in the name of defense despite an appalling record of missing most world events. You saw them mess with healthcare and same will happen to programming if you are complacent!
You make an excellent point. A corollary is a bit of a counter-point. Sometimes you DON'T need to decrypt it, and in those cases you shouldn't be able to.
The most obvious example is passwords. You store those as salted hashes which can't be decrypted. You don't need to know what their password is, you only need to know if it's the same as what they entered or not . We can apply the same principle to data we use for fraud prevention. We want to know if this transaction attempt is coming from the same device / os / ip / location that the legitimate user normally uses. We don't have to store their previous data, only a hash so we can see if the new attempt matches or not.
The OPM didn't need to store details of the applicants' past indiscretions. They could have simply encoded it as a risk score, 1-5. That's like a hash of the narrative, in a aay, irreversible but still useful. Then people couldn't be blackmailed or outed with the information.
what more is there to say? They will still fuck it up.
If Congress again passes a requirement for departments to do something but refuses to fund it then the executive branch can't do anything.
Not true. The agency can cut spending elsewhere to implement the requirement. Which is what Congress wants the IRS to do, while the IRS want to use the excuse of no new funding to maintain things as they are. It all just theatre.
If you air-gap that system you have to hire someone to either run OCR scans or enter all that data by hand into the database.
Or someone does a malware scan of electronic media and if all clear they walk the media past the air gap.
Let's say your character witness is Joe Schmuckatelly who lives in California and you live in Nebraska. It's easier and less expensive for the regional office in Nebraska to put the file on the network and request the regional office in California to interview Joe.
Why is the entire file necessary for the interview? A relevant excerpt, only what the applicant claims with respect to Joe, can be walked back across that air gap and sent to the regional office. The interview results then get walked past the air gap and merged/appended to the file. Naturally what really gets walked across is a large number of excerpts and data to merge/append.
In short air gaps allow for electronic data input and output, just in a very controlled and monitored manner.
And the horse seems to be happily running free somewhere thousands of miles beyond the barn door.
If this works like many IT security efforts, we'll spend millions replacing the barn door with a bank vault door. And then leave the window next to it open
The trouble is, those same Republicans have derailed national cyber security regulations since Obama has been in office. It's all been channeled through the US Chamber of Commerce.
So that was pretty much the end of it. The Obama administration declared some executive orders, but that clearly did not have much impact. Up until this latest incident the Party of Ignorance (R) got what they wanted: keep you hands off my bidness.
So no one should be very surprised that this happened. There is no bright line between big government and big business when it comes to matters like cybersecurity. Particularly with the amount of outsourcing going on. Don't forget that the OPM breach was not simply in a government network, but at security contractor USIS.
The DHS/OPM/whatever are doing everything they can to cover up what really happened, so the trail to the contractors has been rather effectively hidden. They primarily want to keep evidence of their vast incompetency out of the public eye. That is taking precedence over remedial action to address the breach. This is why they are leaving the roughly 4 million government employees at risk just hanging in the breeze. If they were to do the responsible thing and help the victims it would reveal how extensively they failed.
Remember, horribly incompetent government security contractors are the new normal: Blackwater in Iraq, the TSA meatheads who infest airports, and now this. No one should be surprised. And they should be even less surprised when no one is held accountable and nothing changes.
Why is Snark Required?
I mean this can't happen in real life.
mfwright@batnet.com
But let's makensure to include an uncrackable backdoor that only the government can use!
Right, because another requirement/standard will solve this problem. It will get tossed on the pile of requirements for every new contract. It will be implemented to the letter, just like current security requirements. And it will help a bit but things still won't be "secure."
Security is fundamentally picking the level of risk you're willing to accept. The answer is uniformly "none," but strangely enough you still that network hooked up, so you end up with a 4,000 page requirements that effectively amounts to "Well, you need to make sure that _everything_ is 100% locked down and goes through 6 month review and and..."
Security works well when there's no hacks, no rushes and above all no one in the organization who says "I'm important, so these rules represent a threat to my status/are stupid/but this is _important_..." You don't think there's anyone like that in the government, do you?
Ack!
It should be clear by now that systems cannot be made perfectly hack proof. The people who make security can break security. And some people have to be trusted. People cannot be trusted.
E Proelio Veritas.
This would not be the first time events were put into motion damaging one's own side to gain political advantage. I believe this was done intentionally to allow for tighter crypto controls. Remember who you are dealing with. Sacrificing a few identity theft cases or even peoples' lives in nothing to those orchestrating stuff like this. It's all about control. The world is nutty.
Not to go down the systemd road for no reason, but I've often wondered since one large Linux company basically controls the direction of Linux development outside the kernel. and even some kernel stuff, systemd is an attempt to weaken Linux. I respect people like Theo de Raadt because he doesn't give a toss about pleasing anyone. He's a hardliner and for good reason. Not allowing binary blobs in the kernel is smart. We're doomed unless we stand up or start developing alternatives much like LibreSSL/OpenBSD.
Except for your SSN in the lower right corner (which is a crude "yes I filled out the form and didn't forget this page" token, much like initialing each page of a contract)
Really. They have half a dozen pages for foreign travel. If you've not traveled out of the US in the last 7 years, then those pages will be blank. Ditto for jobs and residences. I suspect a LOT of people filling out the SF86 have lived in the same place and worked in the same place (or maybe 2 instances).
The 127 page thing is an acrobat fillable document and is clearly a "physical instance" of some sort of online form (e.g. the eQIP form).
For all I know the backend database has "room" for X pages of form data and if you go past that, you "see attached sheets".
To Better Secure.
Translation: ICT Director and CIO and CFO have signed off on INSECURE, sloppy practices for 8 years. Fire them all. They have compromised a lot. Lets see if they attached disclaimers to the final report. Repeat and rinse for other depts.
So if the U.S. government had a backdoor into your computer, and if they left it online where it was found by hackers. Then everyone's computer would be hackable and could no longer be used on the internet. Would the U.S. government be liable for replacing all of the computers and paying for all of the lost productivity while waiting for a new computer?
The same people that are trying to make everyone code... do any of them know what coding is, let alone what encryption is? I think not!