Slashdot Mirror
Sen. Ron Wyden Says CISA Data Collection Could Put Americans At Risk
blottsie writes: In a new interview, Sen. Ron Wyden (D-Ore.) says the Cyber Information Sharing Act of 2015 (CISA) may put more Americans at risk because the U.S. government has failed to learn the right security lessons from the attack on the Office of Personnel Management. He says, in part: "I've been watching as this goes forward—there's this phrase going around the cybersecurity community, 'If you can't protect it, don't collect it.' Now, there is never going to be a system that's 100 percent safe. But what I'm going to start [saying] on the floor as we get to this [CISA debate], is, you give the government a huge new trove of personal information about Americans before you've addressed the problems that were documented all the way back to 2007—those security holes—before you address those, [before] you plug them, that's like responding to a bear attack by stockpiling honey. That's going to be how I open the debate."
Who's willing to bet that, *after* the security measures are in place up to Congress's "standards" (they have no clue, they're just going on what other people tell them), Senator Wyden would be completely in-line with the mass surveillance camp?
No security measure can fix that.
Hell, OPM handed out root access to "workers" remoting in from China, for fuck's sake. And the clowns who did it are still not in jail.
It starts at the top, too. Just listen to Hillary! apologists making excuses for her and her classified emails in her fucking basement, all because they - for some strange reason - think Hillary! is on "their team", whatever team that may be.
It doesn't matter if a terrorist gets your data. Terrorists can't vote. It's the citizens you got to watch out for, you need enough data on them to make sure you'll know how they'll vote before the candidates are even announced. This way you also know how to redistrict and which empty promises to make.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Al Qaeda, ISIS, now I have to worry about bear attacks too?? I think we need to divert all funds and energy to addressing this imminent bear threat immediately.
>> that's like responding to a bear attack by stockpiling honey
Can we get a car analogy instead? Maybe something with swimming pools for the yokels?
If you aren't collecting it, it's going to be far more secure in the long run.
These idiots who think putting us all under surveillance, or monetizing our personal information, need to be forced to stop this BS legally.
I don't see H's server choice as a security argument. The "regular" office server, the one she should have been using, was not designed for classified info either and there's no evidence it had better general security than her "home" server.
There are plenty of other reasons to criticize her actions, but "security" is not one of them.
I suppose one could argue she was more likely to mix up personal and work email, but that can happen regardless. One can mistype the destination on any device or email service. Such an argument is splitting hairs on what kind of typo is most likely, which is probably personality specific such as to make it highly speculative. The kinds of mistakes I make often have a different pattern than those of others. It's one of the reasons I welcome wide feedback on any of my draft UI designs.
Table-ized A.I.
I'm pretty sure Kanye West would put an end to this pointless and extremely intrusive surveillance trends sweeping the world right now. Yeezy for President!
This isn't just a government thing so let's be a little more even handed about this...
Any design that makes competence a requirement is fatally flawed...
Common misconception. Bears don't give a whit about honey. They're after the bees.
Senator Wyden has been pretty vociferously against mass surveillance, on repeated occasions.
Some examples:
http://www.theatlantic.com/pol...
http://www.huffingtonpost.com/...
http://www.newsmax.com/Newsfro...
Based on 20 years of experience in both, my experience is that I'd rank private industry 3/10 and government 1/10. The nature of the type of government we seek to have means we often have to balance priorities like openness and fairness against things like efficiency and security.
For one clear example, consider the "need to know" versus the Freedom of Information Act. A private organization publishes about themselves what they want to publish*. They don't publish anything about their network infrastructure or anything, because they have no reason to. "Need to know"is a fundamental security principle, meaning that it's more secure to avoid spreading any information to anyone who doesn't need that information. In government, any and all records are wide open to the public under FOIA, every email ever sent, every order placed, every network diagram, unless it's specifically declared to do be secret, with appropriate justification. You can see how making all of your documents, your network infrastructure plans, model numbers of security appliances, list of security services, etc. available to the public can give attackers a head start. That doesn't mean FOIA is a BAD thing overall, it just makes them a tad easier to attack.
Further, the government tends to have private information on EVERYONE legally in the country. A bad hack on a bank might release a million social security numbers. The government databases have all 320 million social security numbers, everybody's tax return, etc. That means they are a) a more attractive target and b) the damage is much worse when they are hacked.
Also, the bigger an organization is, the slower they are, in general. No private organization is anywhere near the size of the US government. Some government security requirements still REQUIRE the use of MD5. As you may know, MD5 was broken in 2010. We're still required to use it. On one project we fought to be allowed to use a secure algorithm, but the documents require what they require. Maybe they'll be revised in another ten years.
Along with the last point, at Apple or Google, the CEO (or CSO) can make a decision and send out an email "don't collect any more social security numbers" and within weeks it's done. Making changes to the US government sometimes requires an act of Congress - _and_that_is_a_good_thing_. We WANT changes to the government which controls so much of our lives to be done carefully, thoughtfully, slowly. That's a good thing, but it reduces their ability to respond quickly to emerging threats.
One last point just to demonstrate that the government isn't just another big organization. What company in the world fires their entire senior management team, the CEO, CIO, CFO, and company president every four years? Nobody. That would be catastrophic. The US government does that. The federal government really is a special case. Not necessarily _bad_ - it's great that changes are up for public debate. And it took more than 20 years to make the decision to change to a different health plan, Hilarycare/Obamacare, plus another 10 years to fully implement it. What company takes 30 years to switch to a different health plan after the executives have decided they want to do so?
* If corporations sell stock publicly, they do have to release a high-level overview of their financial situation. That summary info is nothing compared to being forced to release all of your emails.
The privacy and constitutional issues aside for a bit, I agree it isn't safe to collect all this information. But it never will be.
Are you sure about that argument?
http://politics.slashdot.org/s...
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
We don't have an equivalent analysis of the "regular" gov't office server to compare here. And the comments suggest the home box used typical industry settings of SMTP servers.
I have no reason to believe the "office" (gov't) server would not have typical settings also. Again, it was not designed nor intended for classified info.
They allegedly had another system for classified stuff, but they cannot talk a lot about it for obvious reasons. I'm assuming we are talking about "regular" non-classified emails. If she used the non-classified server/service for classified stuff, it's roughly the same "sin level" regardless of whether it's the wrong office server or home server. It was the "wrong" server either way. (The verdict on the "classified" question and fault is still open.)
Further, the "office" server died and they had insufficient backups. That's indirect evidence is was not heavily cared for and thus probably also had "bland" security attention.
Table-ized A.I.
Disclaimer - I live in Oregon.
Wyden is not a member of a party that I tend to vote for, and his recent vote on the Iran deal (among others) leaves me rather disgusted at him for being not much more than a party toadie when it comes to most issues. That said, I will freely admit that he's a lot more clued-in on technical issues than damned near everyone else in the Senate, and has done more for tech than nearly anyone else there.
Quo usque tandem abutere, Nimbus, patientia nostra?
I don't see H's server choice as a security argument. The "regular" office server, the one she should have been using, was not designed for classified info either and there's no evidence it had better general security than her "home" server.
There are plenty of other reasons to criticize her actions, but "security" is not one of them.
I suppose one could argue she was more likely to mix up personal and work email, but that can happen regardless. One can mistype the destination on any device or email service.
You don't use outside servers precisely because you know people aren't perfect. In an environment where you deal with a mix of classified and unclassified you always build your systems and procedures around the possibility of classified information being placed on an unclassified system. There are procedures in place for mitigating when something is inadvertently put on an internal server, which is a big reason why you use the organizations internal servers for all official communications and document storage to begin with. So yes, unclassified systems in organizations which deal with classified are designed with classified in mind.
In the Clinton email scandal, the real failing though is having hundreds of emails with some type of classified information being included in the content and neither the senders or receivers report it or do anything to remove it from the server at any point. It should have been known at the time that the information was classified regardless of the lack of markings on the emails or documents. And even if Hillary Clinton didn't know about the specific emails, she should have known this was a risk.
The specific settings listed wouldn't have passed the DISA STIGs which are required to be adhered to on a government system that is placed on the public internet. So no, the government system would not be using an outdated version of SSL or have an insecure set of encryption standards enabled on the TLS protocol of the SMTP server.
I don't feel like looking it up, but I am sure there is somewhere you can get information about the security posture of State's mail servers; though this could be considered privileged information.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Your "should have" statements seem to apply equally to a home and office server. Great advice in general, but I don't see it applicable per "blame math" in this case. H is not a server admin.
Further, how are you defining an "outside server"? If the "office" server is available to the outside Internet, it's just as "outside" as a home server (barring any additional specific details).
As far as sending classified info thru unclassified servers, the devil is in the details, which we don't have. As I mentioned nearby, but if the office server wasn't designed for that, then it's the same "sin level" regardless of which "wrong" server it went through.
I suspect what happened is that somebody copy and pasted classified info withOUT the proper markings/notices into a message(s) bound to non-classified email addresses. When H received, she didn't know it was classified because it was not marked/labelled as such. This probably would have happened even if her home server never existed (unless you invoke the Butterfly Effect). Who sent the mis-marked info, why, and if H is culpable for that mistake is yet to be seen; we don't know those details yet. Innocent until proven guilty.
Either way, that still doesn't seem a home-versus-office-server issue yet. Sending it to Server-X-Not-Designed-For-Classified is just as bad as sending it to Server-Y-Not-Designed-For-Classified, unless we have a reason know that Server X is "leakier" than Server Y, which we don't at this point. Wrong destination is a wrong destination.
Table-ized A.I.
"D" stands for "Defense". It wasn't a defense agency. I'll give you some kudo points if you can show that her agency was subject to DISA STIGs at the time, and more kudo points if you can show that the office server in question passed a review.
Table-ized A.I.
Senator Wyden has been pretty vociferously against mass surveillance, on repeated occasions.
Complaining about surveillance (sometimes cryptically) is all that Wyden is done. He didn't expose any of it, even though he could have without repercussions.
I'm another Oregonian, and that echoes my sentiments exactly.
Do you have any idea how hard some people worked to secure his vote for the Iran deal?
The DISA STIGs and USGCB standards are used by many government agencies, not just the DoD. http://gcn.com/articles/2015/0...
The article does not have specifics on the scope. Yes, it does say some non-defense organizations use it, but is rather fuzzy beyond that. Did I miss something?
Table-ized A.I.
I don't see H's server choice as a security argument. The "regular" office server, the one she should have been using, was not designed for classified info either and there's no evidence it had better general security than her "home" server.
There are plenty of other reasons to criticize her actions, but "security" is not one of them.
I suppose one could argue she was more likely to mix up personal and work email, but that can happen regardless. One can mistype the destination on any device or email service. Such an argument is splitting hairs on what kind of typo is most likely, which is probably personality specific such as to make it highly speculative. The kinds of mistakes I make often have a different pattern than those of others. It's one of the reasons I welcome wide feedback on any of my draft UI designs.
It's her own security she was concerned about.
I have wondered how many of those 'personal' emails she had scraped off the system before handing it in would have showed conflict of interest with regard to Clinton financial dealings that mixed just a bit with being in very high positions of US government.
blindly antisocialist = antisocial
Your statements appear to be pure speculation.
>> We WANT changes to the government which controls so much of our lives to be done carefully, thoughtfully, slowly.
> Yeah, you mean like the USAPATRIOTACT, the 2,000+ pages of wholly unconstitutional tripe that was SUPPOSEDLY written in, "Reviewed" and PASSED in TWO WEEKS?!?
I said the changes to the government should be done carefully, thoughtfully, slowly. When Congress works quickly, we end up with the patriot act. Kinda proves that we don't want Congress acting rashly, quickly, and recklessly, doesn't it?