Contractors Pose Cyber Risk To Government Agencies

Ian Barker, writing for BetaNews: While US government agencies are continuing to improve their security performance over time, the contractors they employ are failing to meet the same standards according to a new report. The study by security rankings specialist BitSight sampled over 1,200 federal contractors and finds that the security rating for federal agencies was 15 or more points higher than the mean of any contractor sector. It finds more than eight percent of healthcare and wellness contractors have disclosed a data breach since January 2016. Aerospace and defense firms have the next highest breach disclosure rate at 5.6 percent. While government has made a concerted effort to fight botnets in recent months, botnet infections are still prevalent among the government contractor base, particularly for healthcare and manufacturing contractors. The study also shows many contractors are not following best practices for network encryption and email security.

H1B shitty smelly hindu-chimps

are invading this country without restriction and without a single shot fired.
Middle class jobs are in jeopardy.

Re:H1B shitty smelly hindu-chimps

[CaptainDork]

Manning, Snowden, and Winters were not H1B.

Re:H1B shitty smelly hindu-chimps

they worked for lowest-bidders who squeeze as much profit out of the contracts as they can while still paying bonuses to executives and lobbyists, and kickbacks to government officials and lawmakers who gave them the gigs in the first place.

Re:H1B shitty smelly hindu-chimps

Looking at why India is so fucked up, it's easy to see, they do the minimum amount of work to pass the blame to someone else.
It's cultural.
It's a ticking time bomb in most software from Apple, Microsoft, VMware, etc.

Re:H1B shitty smelly hindu-chimps

[CaptainDork]

Point?

Duh?

No fucking shit.

Re:Duh?

wtf I love contractors now!

The OPM data breaches wins though

[OffTheLip]

The Feds Office of Personnel Management 2015 data breach wins (or loses) hands down. Not only an employee's personal info but family members and others included in "security" background checks. So, yeah, about those negligent contractors...

Re:The OPM data breaches wins though

[PPH]

Yeah. Things were a lot better before the OPM got into the security clearance business. Who would have thought that the issues with and threats against defense, healthcare, law enforcement and other employees and contractors would differ?

Re: The OPM data breaches wins though

Omb, has contract workers, the same as every other branch of the federal government. So why should they be more secure?

Re:The OPM data breaches wins though

[AHuxley]

The CIA knew to hold its data sets back :)

Re:The OPM data breaches wins though

[rtb61]

Now let's guess who created that system, perhaps contractors. How many failed contractor projects have there been, not just in data management but in every single facet of the function of government. Why contractors because that is the one and only way to achieve high level theft (billions even trillions stolen) in government projects, even to the insane level of no-bid contracts, just charge what you like.

So perhaps you are right, not negligent contracts but criminally fucking corrupt contractors of which there are a whole slew, crippling the function of the US government. Why has the US government routinely failed in regime change operations because most of the funding to set up the new government is stolen by corrupt contractors and their partners in crime in that new government. The regime change fails at it's core because a lot of the funding is stolen and rather than getting the most effective people they get the cheapest worst criminals (so that middle men, the corporate contractors, can keep most of the money they pretend to pay out).

Most major US government contractors should be thrown in prison and have all their asset confiscated, especially the offshore bank haven assets, even if it requires a government military insertion to access those records (they are killing people in the US through the depletion of government services essential to the life, health and welfare of all US citizens and I am saying this as an Australian why the fuck are you not concerned, assuming of course that you are not a Russian agent seeking to destroy the US with the greed of US contractors, which is actually happening).

Perhaps benefit-dodging isn't worth it.

[edgedmurasame]

In light of trying to dodge obligations and shortchanging the people doing the work, perhaps they might want to actually hire directly or have contract firms provide better conditions/terms.

Re:Perhaps benefit-dodging isn't worth it.

[nehumanuscrede]

I guess it's time for companies / government to make a choice:

Cost vs Security.

Real security is expensive and not something you can cut corners on if you're serious about it.

Re:Perhaps benefit-dodging isn't worth it.

In light of trying to dodge obligations and shortchanging the people doing the work, perhaps they might want to actually hire directly or have contract firms provide better conditions/terms.

Simply nationalize all US IT/tech firms and make them a part of government and so must adhere to government security practices. Problems with private-sector IT/tech/data-services contractors as well as private-sector reluctance to turn over user data and communications solved.

It would make them easier to find on the web as well: Cisco.gov, Intel.gov, BoozAllen.gov, ATT.gov, Microsoft.gov, Sprint.gov, Verizon.gov, etc etc etc.

What could possibly go wrong?

Mamash is Russian shill

Donâ(TM)t trust it

Cisco, Intel and Microsoft backdoors

Stop forcing them to install backdoors and you solve half of all internet security problems.

Re:Cisco, Intel and Microsoft backdoors

[ShanghaiBill]

Stop forcing them to install backdoors and you solve half of all internet security problems.

Can you cite even a single breach that was enabled by a government mandated backdoor?

Re:Cisco, Intel and Microsoft backdoors

No sir i can't guarantee that information wasn't used to compromise someone who then was disincentivised from reporting their own compromise.

What was the question again?

Re:Cisco, Intel and Microsoft backdoors

[AHuxley]

Re "government mandated backdoor?"
SISMI-Telecom scandal https://en.wikipedia.org/wiki/...
Greek wiretapping case 2004–05 https://en.wikipedia.org/wiki/...–05

Obligatory Ron Swanson Quote

"I don’t want to paint with a broad brush here, but every single contractor in the world is a miserable, incompetent thief."

Simple solution

[Gravis+Zero]

Just tie the security clearances of the company's executives to the company's security. If the company's security is compromised, the executives lose their security clearances, leaving the corporation with two options, replace all the executives or forfeit it's government contracts.

Re:Simple solution

[AHuxley]

Then they lose the tools of their trade.
The gov cannot take the tools of their trade away from the contractors.
The person gets to walk away with their security clearance and start up a new company.

Re:Simple solution

"Then they lose the tools of their trade. "

When the tools are executives, they should be lost.

Re:Simple solution

[Gravis+Zero]

Then they lose the tools of their trade.

Executives are replaceable. They would be quickly replaced and company would move on without them.

The gov cannot take the tools of their trade away from the contractors.

The person gets to walk away with their security clearance and start up a new company.

Why should an executive that failed to ensure security be allowed to keep their security clearance? The fish rots from the head down.

LOL

Vault 7, WannaCry, Intel AMT breach, CISCO lawful intercept.

Exploiting Lawful Intercept to Wiretap the Internet
Cisco backdoor still open | Network World

ShanghaiBill thinks the NSA must be installing backdoor for sports!

Re:LOL

Vault 7, WannaCry, Intel AMT breach, CISCO lawful intercept.

None of these were breaches caused by government mandated backdoors.

Contractors are made necessary

The reason the gov relies on contractors so much is that it's self-imposed bureacracy inhibits adding manpower any other way. To add a military member or federal civilian into the manpower pool can require years worth of paperwork, whereas contracting can be done in weeks or months. On the flip side, to remove a federal civilian takes an act of God if they have tenure, but a contractor can be removed near instantly. In general, most of the problems the government faces are due to it's own self-imposed red tape and backroom deals done by entrenched officials that face no such hurdles.

Re:Contractors are made necessary

[cdreimer]

For the government IT project that I work on as a contractor, contractors have gotten let go within two weeks of starting work. Why? Because they thought they could get hire, not show up and still get paid. Others have been dismissed for just simply not being a team player and/or expressing a negative ("Not my job! That's someone else's job."). One guy got dismissed because he lied on his background check about not being a murderer.

Re: Contractors are made necessary

Contractors are "not" necessary. All they add is a layer of complexity to the mix. And they follow company rules not the rules of the agency they work thru.

Re: Contractors are made necessary

But contractors don't have seniority rules. Some of the bureaucratic bloat comes from people who have years of seniority that no one can complain about them for showing up to read the newspaper all day. It's a lot easier to fire a contractor and/or cancel contract than fire a senior government worker.

Re:Contractors are made necessary

" Because they thought they could get hire, not show up and still get paid"

That's nothing! Some get hire, show up, but do NO work because they shitpost on Slashdot all day!

How do you know they weren't working from home? You're a digital ditch digger, Chris, why would you be privy to the details of HR?

"Others have been dismissed for just simply not being a team player "

That's not you; football is a team sport, right?

Re:Contractors are made necessary

MOD THIS MEANINGLESS KARMA WHORING COMMENT DOWN!!!

Christopher Dale Reimer, aka cdreimer, aka creimer, aka cashews, is a well-known toxic bachelor and serial digital pest!

Do not allow this tiresome dullard to copy and paste his own Cryptofeces Reimerium back on here to collect karma points!

We just went through the whole process of getting him contained at -1 like medical waste in a BFI container.

Re:Contractors are made necessary

[jezwel]

The reason the gov relies on contractors so much is that it's self-imposed bureacracy inhibits adding manpower any other way. To add a military member or federal civilian into the manpower pool can require years worth of paperwork, whereas contracting can be done in weeks or months. On the flip side, to remove a federal civilian takes an act of God if they have tenure, but a contractor can be removed near instantly. In general, most of the problems the government faces are due to it's own self-imposed red tape and backroom deals done by entrenched officials that face no such hurdles.

The reason behind this is that public servants are meant to be able to provide honest advice to the mucky mucks upstairs - ministers, lords, congress, whatever works for your country - without the fear of being fired for providing that advice.
Without the bureaucracy requiring performance management, 3 strikes, whatever it is you have - if you don't have it, you end up with Yes People following whatever direction is presented without question.

Now, whether it works in practice...it does, up to a certain level. Then you see the boards being stacked with Yes People (as at this level everyone is on a contract, not a public servant), and realise it doesn't really matter :/

Re:Contractors are made necessary

[AHuxley]

The US interest in contractors goes back for generations.
They work on a task and can change a task on demand.
The gov thinks its getting the worlds best new tech due to "competition".
Gets the best price to a lot of "competition".
That the gov workers won't fall under the spell of a union and walk out on a mil production line during a secret mission that takes years.
That some the private sector are ahead of all tech as understood by gov, educators and most other contractors.
That the gov and mil will go conservative with systems and new tech, wanting gov systems they understand over new private sector tech thats perfect for an unexpected mission.
The main reason in the USA is the home state of the contractor. That the contractor always remembers who supported that bid "politically" and who has a re election to support.
That the private sector is loyal to the USA, that gov workers are loyal to the politics of a charming union leader.

Re:Contractors are made necessary

It must be shitty to work a job so low level that people think they can get away with that.

Re:Contractors are made necessary

Low level? You can find newspaper reading employees at all levels of government. Political appointees, however, are worse.

So maybe we shouldn't be surprised that at least four current top officials have apparently decided that they deserve to travel like capitalist rock stars — one took a private charter to his summer home in Montana, for example, and another flew first class on the 45-minute ride from Washington to New York City — rather than what they are: top government bureaucrats doing the taxpayers' business at the taxpayers' expense.

http://www.latimes.com/opinion/editorials/la-ed-shulkin-trump-zinke-pruitt-travel-20180216-story.html

Re:Contractors are made necessary

Dear Team Creimer,

My YouTube channel has 222K subscribers and many videos with hundreds of thousands of views:

https://www.youtube.com/watch?...

Now, with some slight adjustments, I think that together, we could make the view count skyrocket on your very own Team Creimer youtube channel :)

Please feel confident to contact me if you want me to coach you, we aren't living so far away from each other so we could even easily meet.

Love XX,

--
-Granny

Re:Contractors are made necessary

Team Creimer dreams:
https://www.youtube.com/watch?...

I have just closed my eyes again
Climbed aboard the Team Creimer train
Driver take away my worries of today
And leave tomorrow behind

Team Creimer, I believe you can get me through the night
Team Creimer, I believe we can reach the morning light

Fly me high through the starry skies
Or maybe to an astral plane
Cross the highways of fantasy
Help me to forget today's pain

Team Creimer, I believe you can get me through the night
Team Creimer, I believe we can reach the morning light

Though the dawn may be coming soon
There still may be some time
Fly me away to the bright side of the moon
And meet me on the other side

Team Creimer, I believe you can get me through the night
Team Creimer, I believe we can reach the morning light

Re:Contractors are made necessary

Chris sure enjoys being decorated like a Christmas tree, sibling of his wife Ethell.

Especially in the digital feces world!

Re:Contractors are made necessary

There we go again, I swear I am typing as I sing and not looking at the pre-canned lyrics.

Ethell my darling you know that love you I'm glad we could have a vacation this year.

Oh honey, an hotel suit for the Silicon Valley comic con. What a VIP you are my love.

Here is the story of creimy the mountain and his royalties!

This story was inspired by cdreimer, the parent poster. The story was written by a visionary on cdreimer birth date.

The story of creimy the mountain explained:
https://en.wikipedia.org/wiki/...

Creimy is a typical mountain who poses for postcards, living with his wife Ethel, a tree, between the cities of Rosamund and Gorman, California. The main features on his mountainous face are two large caves, resembling eyes, and a cliff for a jaw, which moves up and down when he talks, puffing up dust and boulders.
click above link to read more, he even destroyed Edwards Air Force Base just by passing by...

Listen to the audio version here:
https://www.youtube.com/watch?...

"Creimy The Mountain"

includes quotes from Pomp and Circumstance March No. 1 in D major (Edward Elgar), Johnny's Theme (Paul Anka), Off We Go Into The Wild Blue Yonder (Crawford), O Mein Papa (Paul Burkhard), Over The Rainbow (Harburg/Arlen), Star-Spangled Banner (Smith/Key), Suite: Judy Blue Eyes (Stephen Stills)

One, two, three

CREIMY the Mountain
CREIMY the Mountain
A regular picturesque
Postcardy mountain
Residing between lovely
Rosamond and Gorman
With his stunning wife ETHELL, A tree! A tree!

CREIMY was a mountain ETHELL was a tree Growing off of his shoulder

CREIMY was a mountain
(CREIMY was a mountain!)
ETHELL was a tree Growing off of his shoulder
(ETHELL was a tree growing off of his shoulder)
(hey, hey hey!)

Creimy had two big
Caves for eyes,
With a cliff for a jaw
That would go up 'n down,
And whenever it did,
He'd puff out some dust,
And hack up a boulder (HACK!) Hack up a boulder (HACK! HACK!)
Hack up a boulder (HACK! HACK! HACK!) Up a boulder

Now, one day, now I believe it was on a Tuesday, a man in a checkered double-knit suit drove up in a large El Dorado Cadillac, leased from BOB SPREEN

("Where the freeways meet in Downey!")

And he laid a HUGE, BULGING ENVELOPE right at the corner of CREIMY THE MOUNTAIN, that was right where his 'foot' was supposed to be.

Now, CREIMY THE MOUNTAIN, he couldn't believe it! All those postcards he'd posed for, for ALL OF THOSE YEARS, and finally, now, AT LAST, his Royalties!

Royalties! Royalties Royalties! Royalty check is in, honey!

Yes, CREIMY THE MOUNTAIN was RICH! Yes, and his eyeball-caves, they widened in amazement, and his jaw (which was a cliff), well it dropped thirty feet!

A bunch of dust puffed out! Rocks and boulders hacked up, (hack! hack!) crushing 'The LINCOLN'!

I gave him the money He acted real funny He hocked up a rock and It TOTALLED my car!

Oh, do you Know any trucks Might be bound for THE VALLEY?
I don't wanna stand here All night in this bar (Dear Lord)

I don't wanna stand here All night in this bar (No shit!)

I don't wanna stand here All night in this bar!

By two o'clock, when the bars are already closed down, CREIMY had broken 'THE BIG NEWS' to ETHELL. And with dust and boulders everywhere, CREIMY, choked with excitement, announced

"ETHELL, we're going on a VACATION!"

Yes, and they WERE going on a vacation! (Oh, and ETHELL, ETHELL, ETHELL, like every little woman, she of course was very excited! She creaked a little bit, and some old birds flew off of her.) CREIMY told ETHELL they were going to Yes! They were going to NEW YORK!

"ETHELL, we're going to New York!"

But first they were gonna stop in LAS VEGAS

It's off to LAS VEGAS to check out the lounges Pull

Re:Contractors are made necessary

It's funny because you could just as easily fake all the views, clicks, and subscriptions you're depending on slashdot for. It's such a small small number that youtube wouldn't ever notice. Besides your "subscriber link" trick is already dishonest enough to get you a strike if some minimum wage tubemonkey decides they need to pad their weekly numbers, people routinely get random strikes for insanely minuscule transgressions.

Like why don't you just get all the passwords for your google sockpuppet accounts and game your numbers over a proxy? Or ask your friends to give you that initial bump?
I get what you're doing, a small number of clicks and shit will ensure you're near the top of the list if you generate content on topics that aren't on the social radar yet.... but what you're doing here is building a huge embarrassing internet footprint. If you ever get any sort of popularity the trolls will come. Find what you've done here, and blog about your every tiny mistake. It'll be funny because you'll get eaten alive by other assholes trying to grift for their own clickbait pennies with articles about your child bride fixations and creepy female impersonations.

This! exactly This! One thousand times!

I am an on-line marketer myself and creimer has been burnt for a long time because of what I emphasized in your text above. The fucker is just too stupid to realize it.

You would put the fucker in an extra large boiling tank with warm water and turn on the heat and the fucker would be too dumb to get out if he could when it gets too hot.

creimer already pissed off many of us by bringing attention to friendly advertising plugs on Slashdot, especially when posted as AC and the Slashdot moderators have become intolerant to posts containing friendly links, thus hurting us all. AC posts on Slashdot used to generate more clicks before creimer decided to go crazy.

Everybody hates creimer, especially other online marketers and although I would never do anything illegal, I hear other marketers might when it comes to creimer.

Good luck dumb ass!

Re:Contractors are made necessary

fuck man creimer really has no friends

Re:Contractors are made necessary

Well his latest subscriber count for his PooTube channel is ... 7. His latest GWAND PWIZE video has like zero views... Or maybe one.

Re: Contractors are made necessary

Listen to what you've said.
Our government is flush with contractors who are totally disposable and will likely get unemployment or moved on to some other contract if they get canned.

They know they're shit. That's priming the workplace for blackmail either against other employees or theft/hacking/backdoors. It's virtually the only way that they can maintain job security. Plus it's relatively common in our government. Why don't you hear about it?

Because it works. How do you think that Fat Leonard arranged ladyboy rubdowns on half the USN's high level officers and nobody knew for 20 years? Easy: Everyone had way too much embarrassing shit to talk about.

Contractors exist because OPSEC takes a backseat to carving out a little cash for a pal.

Re:Contractors are made necessary

You must have a very sad and empty life spending all this time stalking cdreimer. But it's all very boring for the rest of us. Can't you just piss off from slashdot go and do some real-life stalking instead? I'm sure it would be more fulfilling for you and less tedious for the rest of us.

Re:Contractors are made necessary

"You must have a very sad and empty life spending all this time stalking cdreimer."

I'd say we're about even, Chris.

"But it's all very boring for the rest of us."

There's this perception that there's an "us". It's just you and me, fat boy. I guess you're as happy as Tornado Boy when you read the comebacks here! It's not like people pay attention to you in meat space, despite your massive meat presence.

"Can't you just piss off from slashdot"

Pulling the controversy from Slashdot to a platform where you collect the ad revenues is good business for you. Ad revenues from Slashdot traffic alone pay for your monthly subscription to The Wall Street Journal.

"and do some real-life stalking instead"

This is as real as it gets for you, loser-san. They're going to find your dried corpse hugging a Dakimakura. Although why you chose a goat-shaped one is a mystery.

Re:Contractors are made necessary

Here are some posts from creimer's old accounts. I'll start with his love of child brides.

If all my assets were liquidated, I would still have enough cash to buy a new car and head off to Mexico to find a chica to marry.
https://slashdot.org/comments....

You're aware that are some states in the U.S. that allow underage marriage as young as 14 years old?
https://slashdot.org/comments....
As for my comment, I've heard stories of engineers retiring at 50, moving to Mexico and marrying underage girls. Since I work with ex-military, the Philippines is a popular retirement spot for marrying underage girls as well. It's all about getting the most bang for your retirement dollars.
https://slashdot.org/comments....
That only works if you retire to Mexico, build a mansion (by local standards), marry an underage sweet thing and bequeath all your possessions to the village.
https://slashdot.org/comments....

You need to be more specific. I wrote 3,000+ comments this year.
https://slashdot.org/comments....

Nah... I just do it to piss off my trolls and make coffee money off of them.
https://slashdot.org/comments....
We have different priorities. You want to climb the corporate ladder. I want to own the corporate ladder.
https://slashdot.org/comments....

Your bitch licks your balls. Most people don't brag about practicing bestiality. Is there a reason why you married a dog and not a goat?
https://slashdot.org/comments....

My employers don't care about what my Slashdot trolls think. Now go off and lick your balls somewhere else.
https://slashdot.org/comments....
iPhone 6s and reduce my monthly bill from $80 to $50. As a phone and a video camera, the iPhone 6s isn't obsolete. As a Sprint customer for 20+ years, Sprint will always offer me a new iPhone if I decide to stop using the 6s as a phone in the next several years.
https://slashdot.org/comments....
Miracle workers are never afraid to ask for a second opinion. Supervisor gave me his opinion ? and a mess to clean up. Lesson learned from this incident: if something isn't quite broken, break it.
https://slashdot.org/comments....

So you can turn around call me a liar again? People have been playing that game with me for years.
https://slashdot.org/comments....
Based on what I've read about Uber, he need to tell the boys to clean up their locker room behavior, zip up their pants, and attend sensitivity training until everyone agrees that women are not sexual objects.
https://slashdot.org/comments....

Which doesn't violate the Slashdot TOS. If you got a problem with that, take it up with management.
https://slashdot.org/comments....
This year I've posted ~4,000 comments.
https://slashdot.org/comments....

I don't bother with mod points. I'm doing something much more sinister. It took ten story submissions ? I'll have to double check the

Re:Contractors are made necessary

Read what Chris Reimer (cdreimer) wrote here:
https://groups.google.com/foru...

You are such a perfect miracle imbecile Chris!

I can't believe that you are actually imbecile enough to post this thread here. It makes you look like an even more imbecile fucktard yet.

As some have stated on that thread "dot is NOT an operator", you fucktard! Apperently, you did not read the thread yourself or more likely, your ameba brain reading comprehension doesn't allow you to understand its content.

It's like asking: What is the dot operator precedence in Linux Slackware 1.2.3? You can't daisy chain dot operators in Windows versions (e.g. 3.1, 3.11, etc.)

What is the precedence in the 2.5 IQ that you possess?

And if you ever asked about real operators the word is "Precedence" you fucktard!

Dots are not operators in ANY OOP language you silly fuck!

See java:
https://docs.oracle.com/javase...

For python, you could have googled it but no, you needed to grab the attention on that google group and didn't care that it made you look like a total fool.
http://reeborg.ca/docs/oop_py_...

See example in above link:
Fido.head.mouth.teeth.canine.hurts();
Other example:
Criemer.head.brain.isHurting(); This is always false because your head is empty you dumb fuck!

But Criemer.head.isEmpty() always returns true...

Re:Contractors are made necessary

That creimer posted his 12th video in 12 weeks is far more important than the initial view counts that he gets for newly published videos. The YouTube algorithm no longer favors subscribers or views. It's all about watch time. He's playing the smart game by creating a video series that can be binge watch from a playlist. Expect more comic con videos between now and April. The view counts should explode when Silicon Valley Comic Con gets under way, which is bigger than a Super Bowl game in terms of economic impact.

Re:Contractors are made necessary

" He's playing the smart game by creating a video series that can be binge watch from a playlist."

I'd bet YOU'RE on the "binge watch" whenever you go to the buffet! CROFLOL!

Who is this hypothetical person who'd binge watch a fat man's head lisping about boring subjects with bad audio quality and worse video editing?

We can hear your spittle in your mouth, Chris! SO amateurish! And GROSS.

CAPTCHA: CHUBBY

Absolutely! Happening at the state level too!

Too bad nobody cares. Especially NY and CA, lots of abuses there. But it's about grabbing the cash and using cheap labor, not about delivering a product.

Not just a risk?

A... *gasp* CYBER risk!

All I can think of, is: Cyber Cyber Cyber Cyber.

In Germany, we have a word for people who use that word: Internetausdrucker. People who print out the Internet.

Abolosh cleaance

[Mark+of+THE+CITY]

AIA, a trade group, said 700,000 jobs were in the clearance process. This hurts national security, not helping. Robert Oppenheimer losing his clearance was obviously politically motivated. Junk it.

Contractors? The govvies are incompetent

Why is the government hiring contractors to do all their IT work in the first fucking place?

Oh, yeah, because none of the govvies can even spell IBM.

Yeah, I've worked as a government contractor - "Blame the contractor!" is always the mantra, but no one ever asks, "Why the hell are you so incompetent you can't run a simple Windows network without contractors?"

Re:Contractors? The govvies are incompetent

[gweihir]

And that is exactly the problem. The "proper" employees are not a risk, because they cannot get even get the work done. The second problem is that the process to get a clearance is based on a completely broken perception of the world. You can not evaluate whether somebody has honor, loyalty and integrity and their history, friends, family, etc. do not indicate so either. At the same time, even somebody deeply loyal may suddenly find they are more loyal to their species than to some scummy government agency trying to screw everybody over.

The only way prevent loyalty-problems with contractors is to a) pay them well b) treat them well and c) do not do evil crap that they may rightfully object to. Of course, all three are beyond what a dysfunctional government agency can do, so leaks (and sabotage) will continue to happen.

Re:Contractors? The govvies are incompetent

[HiThere]

It would also help to require that they not have been proven to have been doing unethical work during the past, say, five years. (I didn't say illegal, I said unethical. Unfortunately, that makes the term "proven" a bit difficult to define. Also the term unethical. So you'd need to set down certain minimum requirements that would substitute.)

Re:Contractors? The govvies are incompetent

[AHuxley]

The idea is to walk the persons history. Their teachers, college, friends, family, extended family. Who they grew up with. What they read. Their politics, faith, role in a wider community. Bank account, cost of rent, home loan, other spending, hobbies, a criminal deviant lifestyle.
The experts at the FBI have some idea if a person is going to go full split loyalty at work and support another nation, cult, faith, political system over the USA.
Can a person be open to black mail? Need to seek funds from another nation to cover their hobby, addiction, need for luxury beyond their gov/mil wage?
Was the person political at university? Spend time with friends who are all criminals? Know lots of journalists who write about whistleblowing? Know a lot of activist human rights lawyers? Show an interest in faiths and cults that are incompatible with US mil/gov security?
Spend time been an activist online?
Most of that can be discovered when looking to work for the US gov/mil with a few interviews and by looking back over a person education, their friends, their spending patterns, internet usage, family and teachers.
The US gov kept all real time use of early social media and web sites, later social media.
Every face, party picture, holiday, political slogan, direct support for the actions of a faith and cult.
The security service do not have a "completely broken perception of the world". They know exactly who they want and who can keep all secrets for decades.
Contractors break that security the US once had in place by demanding to bring over their now staff who "once" had a clearance, who just need a clearance "updated". Failed staff keep getting gov/mil work by using their contractor as cover.
All kinds of people can then get let in, who never faced better security investigations.
The ability of a contractor to demand they get to bid on work with their self cleared workforce is the problem.
The party political demands that the US gov and mil start to accept criminals and other very bad people of faith due to political correctness.

Re:Contractors? The govvies are incompetent

[gweihir]

Complete bullshit. The idea is to intimidate the candidates and identify those openly not intimidated. These then fail. With all others, they hope they stay intimidated.

You are just regurgitating propaganda. Look at what screenings high-level defectors and leakers went through to get an idea about how well that screening actually works.

Re:Contractors? The govvies are incompetent

[gweihir]

Since they apply for classified government work, "unethical" is pretty much part of the job description.

Re:Contractors? The govvies are incompetent

[l0n3s0m3phr34k]

And yet nothing you listed has anything to do with the issues listed in the summary: "botnet infections", "network security", and "email security". The current problems have very little to do with your list, unless your claiming that very "unethical contractors" are the ones running the botnets and purposely compromising network security.

The absolutely most loyal network admin will have a difficult time stopping end users from clicking on phishing emails. Stupidity doesn't stop because of "patriotism".

The REAL problem is the contractors are not forced to follow already existing security publications. My current position deals directly with this; I'm working on finishing up NIST 800-171 compliance for a DoD contractor. My ability to hist the various requirements, implement the STIGs, has ZERO to do with my extended family, faith, or feelings on human rights. The correct "separations of powers" in our IT means that even if I wanted to somehow compromise our network, other people working there would notice pretty quickly. I may implement a GPO, but my boss gets a report on what GPOs have been modified and by whom, for example. I'm not the only person running STIG audits, I'm not the only person at our company doing "security related stuff".

What REALLY needs to happen is the feds need to step up on their compliance audits; first going over EVERY department on a 800-171 or 800-53 (for the actual DoD) level...and work their way out down the contractor tree. IMHO, our "election system" should be at least 171 compliant but "STATES RIGHTS!" get in the way.

Re:Contractors? The govvies are incompetent

[gweihir]

And fail. (Not your fault, it is easy to fall for this.) Compliance does not create security. In actual reality, it _decreases_ it, because it reduces mental capabilities available to understanding.

The only thing that creates security in people that must have "access" is understanding of what they do. Hence a) make sure all people with access to sensitive data really have a clue how things work and b) make sure they have personal integrity. No, a regular "screening" will not accomplish this. Also c) don't do evil things that will rub people with personal integrity the wrong way. Especially c) is often infeasible for government agencies, because they often are evil by design, not only by policy. Item a) makes people expensive and item b) very often makes them not want to work for the government in the first place.

So, no, I do not think this can be fixed. Just the same as "laws" do not fix "crime". In many cases they create it and without good reason.

Re:Contractors? The govvies are incompetent

[l0n3s0m3phr34k]

Well, this article isn't about working "for the government" really; most contractors (especially the mentioned health care and aerospace) have multiple clients. My workplace has a 30% DoD involvement level. We don't deal in CUI (Controlled Unclassified Information), but Transactional Information. Both of these are several steps below anything like what Snowden revealed. Thus why we fall under 800-171 instead of 800-53.

I'm assuming your not intimately familiar with these NIST publications, the related STIGs, and so forth. I can guarantee the contractors who have had breeches did not implement items such as "Microsoft Windows 10 STIG - Ver 1, Rel 12", "Database SRG - Ver 2, Rel 8", etc. The Win10 STIG itself has almost 300 very precise requirements; to the point of "if Registry Key XYZ is not found this is a finding".

Compliance with these does create one part of the security model. There is no real way of testing for "personal integrity" outside of a clinical setting; intelligent people with no "personal integrity" can fake it for a long time even hiding it from close friends and family. Low-order sociopaths are quite common in the business world, especially as one moves up the management ladder. They would claim to have "personal integrity"...BUT their definition would be more along the lines of "keeping my person ahead of everyone else and my social standing integrity intact".

Compliance to the publications like 800-171 and 800-53 _increases_ "mental capabilities available to understanding" because to implement them properly you have to have a deep holistic understanding of various underlying technologies, people's psychological reactions (to make effective training), foreign relations (to know which APT are out there and just what vector they might be using), etc.

Case in point, stopping "email phishing" requires both a technical AND personnel approach. You need to implement various safeguards to stop the bulk of the attacks, AND need proper training for end-users to correctly deal with anything that gets past those safeguards. Neither one by itself will be effective due to the constantly evolving nature of threats. Technologies like Mimecast can stop 90%-95% of attacks getting through, properly configured GPOs can help stop other issues that slip past that; but attackers will craft some way that will eventually slip past. That's the whole reason for "risk management"; you have to accept that something bad will eventually happen and have procedures in place to quickly return to a stable operational state. Off-site encrypted backups, disaster recover contracts, keeping up vendor warranties...
This whole conversation (not yours in particular, but TFA in general) seems to have taken a pear-shaped turn into the "evils of TLA agencies". While that is a worthwhile (and VERY critical) conversation to have for a functioning democracy, the original summary was about the failings of contractors to follow basic security guidelines. Not some "hard to define" ideals like "personal integrity", but very specific guidelines that have existed for years and are (mostly) freely available to the public at large. If every government agency would just "do their job" in regards to ITSec and follow the REQUIRED published guidelines, many of these breaches would have been stopped.

I don't have technical knowledge on things like the OPM hack, but I am willing to bet that that breech (in the way it actually happened) could have been avoided if they had bothered to properly implement 800-171. Personally, I feel that ALL companies that deal with any financial data (looking at you EQUIFAX), health information, or other "personal sensitive data" should be required to follow NIST guidelines. It should be part of regulatory requirements; unfortunately our current administration is moving towards "less burdensome regulations" rather than towards compliance so we should expect to see breeches like this happening far more often in the future.

How would you know?

Did you read all the NDA?

You mean Cisco and Intel and Microsoft installed backdoors without government pressure?

That's even worse.

Protonmail

Doesnt contract

2 Reasons why the government chooses contractors

The government loves contractors because (a) it absolves the gov of responsibility when things go wrong - "bad contractor", and (b) contractors can be hired and fired "at will" - something that the good ol' conservatives have always salivated over.

creimer spam alert!

Don't click on his homepage link! creimer is trying to get you to subscribe automatically to his youtube channel and make money off you!

CREIMER' SUBMISSIONS UPDATE:
Note also that creimer is trying to regain karma by getting his submissions published as articles on /. so make sure to go to:
https://slashdot.org/~cdreimer
https://slashdot.org/~criss69
https://slashdot.org/~Anonymou...
https://slashdot.org/~FatCashe...
https://slashdot.org/~ILoveFat...
https://slashdot.org/~IHateFat...
https://slashdot.org/~IAteFatC...
https://slashdot.org/~ITapeFat...
https://slashdot.org/~IApeFatC...
https://slashdot.org/~IPrayFat...
https://slashdot.org/~FatCashe...
and mod down his submissions as well. The great thing is that you don't even need mod points to mod down a submission, just click on the "minus" icon!

Yes, believe it or not, creimer owns all the above sock puppet accounts. It is a mystery why Slashdot management tolerates it!

creimer wrote:

I don't bother with mod points. I'm doing something much more sinister. It took ten story submissions ? I'll have to double check the number ? to move cdreimer's karma from neutral to excellent without ever being exposed to the capricious mods. Mmmmmwwwwahahahahahahaha!

https://slashdot.org/comments....

Danger, Will Robinson, Danger! Creimy is posting more than 2 posts a day. Hurry! mod down otherwise /. will go to hell again!

Note: you can mod down even if already at -1 to lower karma and to prevent lost /. users to accidentally mod up.

creimer wrote:

All you need to do is find a website with a permissive TOS, say, Slashdot, create a Python script to scrape your own comments, sprinkle Amazon affiliate links in various posts, and then re-post past links whenever possible. Won't be long before you start making "coffee money" each month.

https://slashdot.org/comments....

C.D. Reimer is a renowned Slashdot collaborator, as he puts it himself; "Because of the quality of my posts and my article submissions, I'm a highly rated commentator and moderator."

But does anybody ever wondered what "C.D." stands for? Well, it stands for Creimy Dumpty of course!

Creimy Dumpty sat on the wall,
Creimy Dumpty had a great fall.
All the king's horses
And all the king's men
Couldn't put Creimy Dumpty
Together again.

Creimy's siblings video and theme song, very realistic, especially the pants, just like Creimy's:
https://www.youtube.com/watch?...

With "Vice President Pence Vowing US Astronauts Will Return To the Moon", we are sure they will need miracle workers up there, here is what it would look like. Note that Creimy takes care of bringing a lot of food to the moon as depicted below:
https://www.youtube.com/watch?...

Creimy's real pictures:
Before the sex change:
https://ibb.co/cc7Ddw
After the sex change:
https://ibb.co/gVad65

Creimy's "enterprise-level" chair, he talks about it all the time on slashdot:

Comment removed

[account_deleted]

Comment removed based on user account deletion

Indeed, let's go Team creimer let's GO

Indeed, let's go Team creimer let's GO

Never give up on your dreams Team Creimer!

Never mind those hump-leg noob creimertard trolls!

Team Creimer dreams:
https://www.youtube.com/watch?...

I have just closed my eyes again
Climbed aboard the Team Creimer train
Driver take away my worries of today
And leave tomorrow behind

Team Creimer, I believe you can get me through the night
Team Creimer, I believe we can reach the morning light

Fly me high through the starry skies
Or maybe to an astral plane
Cross the highways of fantasy
Help me to forget today's pain

Team Creimer, I believe you can get me through the night
Team Creimer, I believe we can reach the morning light

Though the dawn may be coming soon
There still may be some time
Fly me away to the bright side of the moon
And meet me on the other side

Team Creimer, I believe you can get me through the night
Team Creimer, I believe we can reach the morning light

FatCashewsaLovesMe MUST READ

You must follow the instructions so that we may exchange keys and have encrypted conversations right in front of TEAM CREIMER!
After you have completed this task I will reveal the location of 1tb of multiethnic tranny porn. If your exposure to creimer has made you too slow to execute this task without special assistance then please post any questions as AC and I will answer them!

This link contains directions for FatCashewsLovesMe (and not creimer) to get into the NO CREIMER CLUB. A place exactly like slashdot except with unicode support and creimer can't see it!
Now remember DO NOT CLICK the link if you are creimer! Not even a peek! I mean it now!
https://pastebin.com/jzYrfipr

Re:FatCashewsaLovesMe MUST READ

I heard a rumor that creimer plans to buy Slashdot for three cents.

Re:FatCashewsaLovesMe MUST READ

So it's like all your other plans then, Chris? They'll never happen? Is that what you're trying to say?

Re:FatCashewsaLovesMe MUST READ

https://pastebin.com/jzYrfipr

It's easy ^^^
Use the directions from the pastebin and we can create a secure communications channel backed by super serious uncreamable encryption!
The goal is for you to create a keyset of your own
Then use the public key provided in the pastebin you so that you can encrypt your public key before giving it to me.
Then post a link to a pastebin with your encrypted public key but use your fat cashews account so I know it's you.

After that only I will be able to decrypt your public key. So only I will be able to use it write you secret messages and you will be able to identify me as NOT_CREIMER.
After that we can sign and encrypt messages as AC if we want and nobody will even know which one of us is sending a secret message. He won't know what we're saying... but he'll know we're saying it!!!!

It's a pain in the ass a little bit but once we have a trusted channel we have the option of establishing a more convenient communications channel. Also the location of the 1tb of tranny porn must be protected with MILITARY GRADE ENCRYPTION because as creimer has said, most three letter agencies are staffed by former military sex tourist degenerates and they are likely to consume my entire monthly cloud bandwidth allocation if they know the location of that much girlcock

https://pastebin.com/jzYrfipr

Re:FatCashewsaLovesMe MUST READ

Chris' case is getting worse, he spends all day replying to himself as AC on /.

The tests we ran on Chris have shown that Chris has the intelligence of an ameba:
https://en.wikipedia.org/wiki/...

So, technically, he is able to conceive some kind of agenda but it will be silly or impossible to follow on a human scale.

For example, Chris had an agenda to post anything he felt like on Slashdot which did not work well because it was based on his false beliefs that he had an infinite number of karma points as he wrote here several times.

Several people here explained to Chris that karma maxed out at some level like 50 or so but Chris kept on insisting that his python script had confirmed that he had millions of karma points!

Oh well, as I wrote before: "It isn't Chris' fault if he is the way he is. We do the best we can do with him and he is partially integrated into society. We try to cure his abnormal need for attention but he is kind of stubborn and won't listen to anybody."

For the valuable /. users that might already have read the following, please note that there is an important update.

IMPORTANT UPDATE:
Special Education for the Santa Clara County Office of Education has invested money to buy Chris a new chair:
http://www.keynamics.com/image...

Information about Christopher Dale Reimer and autistic people:

Autistic people have obsessions about things normal people don't care. For example, one of our autistic patient went haywire when he realized that there was a penny missing in his pocket change.

To calm him down, one of our educator pretended to have found it on the floor and gave a penny to him.

The autistic patient condition went even worse because he realized it wasn't the same penny!

Chris has an obsession with budgeting every penny. He doesn't understand that most people do not budget to the penny and have a flexible amount they allow for miscellaneous items.

I am Nancy Guerrero and I am Director of Special Education for the Santa Clara County Office of Education. We use Chris' (a.k.a. creimer,cdreimer) picture in our document because he is the hardest case we have ever had to handle:
http://www.sccoe.org/depts/stu...

Our artists were inspired by the low carb diet that Christopher follows scrupulously for the small lunch box and by the picture linked below for the rest. I am sure that you will notice the similarities such as the bump on the side of his chest and more:
https://ibb.co/gVad65

Please be easy on Christopher although, I am aware that some of our staff handling Chris post joke comments here and obvoiusly, the Santa Clara County Office of Education disapprove that behavior vehemently:
http://ibb.co/mRVSaG

But it isn't Chris' fault if he is the way he is. We do the best we can do with him and he is partially integrated into society. We try to cure his abnormal need for attention but he is kind of stubborn and won't listen to anybody.

Thank You dear users,
---
Nancy Guerrero
Director
Special Education
Santa Clara County Office of Education

Re:FatCashewsaLovesMe MUST READ

Thank You!

Also, don't forget to participate in Team Creimer YouTube poll about being in favor of a 2 to 3 weeks government shutdown so help desk can install patches and vote yes.

--
Team Creimer for a 3 weeks government shutdown.

Re:FatCashewsaLovesMe MUST READ

creimer says he is going to post one comic con video every day in April but creimer lied to be a comic con affiliate and maybe win a t-shirt; By May, creimer will already have moved to his next get rich quick scheme!

Proof: He always lies! He also said that he would publish books in January but he has moved to the comic con/youtube get rich quick scheme instead!

Re:FatCashewsaLovesMe MUST READ

Your first step is to go to the website and generate a key pair.

After you have the key pair then take my public key from the pastebin and use that public key to encrypt your public key.

Put your encrypted public key somewhere that I can get it

I will decrypt it use it to write a message to you (That creimer can't read!) and then we can agree on some easier way to communicate without a bunch of hassle(Email, IRC, etc)

Comment removed

[account_deleted]

Comment removed based on user account deletion