Just some food for thought…

JROppenheimer LosAlamos

I wasn’t planning on another piece about Apple v. The FBI. But here goes…

For all those pundits, wags, celebrities, politicians, and now Rabbis speaking out and telling Apple that they should decrypt the San Bernardino shooter’s iPhone, I submit this.

Apple is apparently applying the thought Robert Oppenheimer had after he helped create the atomic bomb.

When you see something that is technically sweet, you go ahead and do it and you argue about what to do about it only after you have had your technical success. That is the way it was with the atomic bomb.
– J. Robert Oppenheimer

I believe this quote is often paraphrased to;

Just because you CAN do a thing, doesn’t necessarily mean you SHOULD do a thing.

I’ve lived my life using that paraphrase as a test for certain actions. I look at it as a cautionary signpost for all scientists and researchers.

Project t virus by linkin368 d3gt57g

Just because you can modify the DNA of influenza to deliver a genetic update to all the people of the world… should you? What about murphy’s law? Can you really limit the unintended consequences? 

OR is it simply better to recognize that never creating the technology is the best course of action?

Thumb01m

All these people saying Apple should crack the phone, have no idea what they’re talking about. It’s not an easy task, even for Apple. Cracking encryption isn’t what you see in the movies. 

You don’t just plug a widget into a port, have some dialog about how cool you are and then hear a beep as the NSA computers start spilling all their information onto your impossibly small storage device.

At this point it’s unclear if the iPhone in question is using something as simple as a 4 digit code. It’s likely, but depending on the IOS version being used, the phone could be locked using a phrase.

If there’s a passphrase the odds of success hacking it with a brute force attack drop precipitously with each character added to the passphrase length.

James comey fbi

The brute force attack that the FBI is describing is crude and there is no guarantee that if they win in court, forcing Apple to be their bitch, that when they finally get into the phone there won’t be a nasty little application that has encrypted all the files the FBI wants using an entirely different algorithm, from another manufacturer.  If that’s the case, is the FBI going to get another court order? Probably not, because this is about the FBI making an example. Apple just happens to be the biggest target. 

It’s just as likely, this Jihadi fucker was using a messaging application that wiped the messages 5 minutes after they were read.

Federal and state fbi agent

If the guy was at all concerned about security, He probably turned off all the Apple Tracking software, I know I did right after Edward Snowden blew the whistle.

I’m not a criminal, but I value my privacy and am willing to forego my phone being able to tell me where the nearest Häagen-Dazs is, to maintain my privacy.

This means that Apple providing a custom operating system to disables the automatic wipe on the phone and allow unlimited access to the phone’s password system is likely not going to get the FBI anything more than they already have based on cell tower records.

By the way, because of the number of towers in the San Bernardino area, cell tower data can pinpoint the movements of this Jihadi asshole to within a couple hundred feet or less.

The NSA Actually Has A Program Called SKYNET

So the FBI is lying right from the get-go, when they say they want access to the phone so they can figure out where this Jihadi and his diseased rancid whore of a wife, were before, during the shooting, and after. 

The cell tower records would already provide that information and if the guy turned off his phone while visiting some nefarious underworld figure. Or dropped it in a Faraday bag or cage…

LOKSAK SHIELDSAK Flexible Fabric Faraday Cage Anti RF Protective Bag RF Fortress Radio Frequency Camouflage NDIA SOFIC 2014 David Crane DefenseReview com DR 10

Then the FBI would still get nothing from the phone because at that point the phone would have been cut off from the cell tower or any GPS information and likewise wouldn’t have been able to transmit any of that information.

But we know that the FBI has nine OTHER phones they want to force Apple to help them unlock. 

Apple icon apple

The problem here is that Apple has never created the software to unlock or hack their devices.

Why should they?

Apple tells you, “don’t lose your password, we cant help you if you do.”

So they have a secure device, and they can insure the device’s security because they’ve never created any software to undo their encryption or their locking mechanism.

Just because you CAN do a thing, doesn’t necessarily mean you SHOULD do a thing.

Achmed

Dear Apple customer… “If you loose your password, you can wipe the phone and start over. We strongly recommend you have the data backed up. Apple provides the iCloud service for this purpose.“

It’s recently come to light, that the FBI ordered the San Bernardino County IT department to change the password on the iCloud account and therefore broke a link that could, with Apple’s help, have gained access to the phone.

Now the FBI wants to use a court order to force Apple to UNFUCK their fuckup. But that’s not the end game.

The end game is that the FBI wants to force manufacturers to build government backdoors into all devices. 

BMZ9g3ZCMAAvZN2

The FBI is using “terrifying terrorists” and criminals, to spook congress and the courts into passing legislation that mandates government access be built into all machines. They and their supporters are using the time honored B.S. line;

For the safety and security of the public…” or that old favorite “We do this for THE CHILDREN

I’m not sure I believe in the slippery slope argument but I do think it’s a very short walk to losing rights that we’ll never get back.

That walk begins with statements that start out, “It’s worth losing a little privacy, or freedom, or changing the laws, or, or, or,  for safety.” see; The Patriot Act

 When I see our government behaving this way, and I hear people saying, “it’s just a little invasion,” I can’t help but think of the poem The Hangman.


I could see a time in the future when it’s illegal for you not to have your phone on your person.

After all, the government would only want to keep track of your movements and communications to insure your safety… Right?

Back doors in our devices are, I think just a stepping stone to full surveillance.

You have nothing to fear, if you have nothing to hide.

1.1 Trillion?

Oh if I could have the overnight interest on that!

It takes that kind of money to run our government?

I can’t help feeling like I’ve been the recipient of BAD TOUCH!

After this, I think we need a President and a Congress that has never been politicians. Some reports suggest that the Omnibus is loaded with so much pork it’s bacon scented.

Sarah Palin’s quip about the GOP made me blow coffee out my nose this morning.

They did it again. But like a battered wife, we keep going back because every four years they bring us flowers, beg our forgiveness, and swear they’ll never hit us again.
– via Breitbart

I don’t know that I agree with all Mrs. Palin’s points, but I do think that this Omnibus should have been ONLY about funding the actual government. The other porky stuff should have been debated individually and each item decided on it’s own merit.

Mrs Palin makes another comment that stuck out.

Basically, everything commonsense conservatives despise – and Republicans promised to put an end to if elected – was funded by this omnibus.
– via Breitbart

I guess that’s why I feel dirty this morning.

Read this today and feel like it’s a Red Pill Blue Pill situation

Salem Witch Trial

Funny, when I typed the title, I just now got the metaphor.

Hey, when I’m watching SciFi I’m watching the story, not looking for deep political meaning. Hell, I don’t even remember which pill Neo took to escape the Matrix.

I’d sign up for the Mars Colony mission if I could avoid all the political bullshit.

Mars One

Unfortunately, when you think about it, the Mars Colony mission is fraught with political issues and since the mission is one way and everyone is expected to die on Mars…

Well… just imagine having a political disagreement and having to worry about being “Spaced” on the way there, or getting tossed out on the Martian surface without a suit.

Hillary Clinton


Anyhooo…

The Conservatives are saying that Trey Gowdy’s committee “won” because they got Hillary Clinton to sorta admit that there was some illegality in her dealings as Secretary of State.

Salon, on the other hand likens the hearings to McCarthyism or the Salem Witch Trials. The Author goes so far as to say that Hillary Trounced the evil Republicans.

To some extent I agree that the Hearings have gone well beyond Benghazi.

Benghazi

To Sum up what I think we know.

  1. The unrest in Benghazi was not the result of a YouTube Video
  2. The “Embassy” was not secure
  3. The Ambassador requested additional security and his request was either denied or ignored.
  4. The British and several other embassy missions had already left Benghazi due to local unrest and Libyan inability to protect diplomatic personnel and those missions.
  5. Hillary Clinton has repeatedly lied about the events in Benghazi, as has the White House, and State Department.
  6. The Ambassador and security people were killed during a coordinated attack – NOT A PROTEST, on a US embassy.

What we don’t know is; What Hillary Clinton, President Obama, and the State Department were/are covering up.

Not directly related to Benghazi, we know that Hillary has also broken laws and ignored White House guidance, regarding her email server.  We also know that Hillary has lied about this and other things too.

Romulan Commander

It’s human nature to keep picking at a lie. I think in the case of a lawyer, that nature is magnified by a factor of at least 100.  Trey Gowdy is a lawyer, and former prosecutor. As long as Hillary keeps lying, his nature won’t let it go.

It’s not about destroying Hillary it’s about Hillary looking him in the face, smiling and lying.

She knows she’s going to get away with whatever the hell she’s done. As a prosecutor, Gowdy’s nature is to run the bullshit to ground, expose the crime in all it’s hideous detail and demand justice.

You can’t blame a leopard for having spots, or for not being able to change them.

I personally think that Hillary Clinton is guilty as sin for any number of things. I think she should be in prison and I believe that Hillary Clinton is not fit to be President. Were she anyone else, her career, campaign, and life in the public eye would already be over.

Scandals follow her like dark clouds. She has repeatedly behaved as though she was above the law. The implosion of her career and campaign should it happen, will not be due to the Republicans, or Trey Gowdy, it will be by Hillary Clinton’s own doing.

Mikandynothem 2015 Oct 24

My beliefs however, are irrelevant, the facts are not. It is the facts that Gowdy’s committee is trying to get at, it is the right of the American people to have those facts.

As the writer in Salon points out. The side benefit for the evil Republicans, is that Hillary gets knocked out of the running for the Presidency.

I think that would be best for the Country but I’m only one voice. I don’t believe these hearings are about destroying Hillary.

I do believe there is more than enough smoke surrounding these hearings to justify investigation into every single lousy transaction, donation, and donor to The Clintons and their foundation.

As I read through the contradictory reports on Hillary’s Benghazi appearance, I found myself asking, “isn’t it the best interests of both the Democrat and Republican parties to put this to bed? Instead of the Democrat leaders rallying around Hillary shouldn’t they instead be rallying around the truth? ”

ElijaCummings

Every time I see or hear Elijah Cummings I want to grab him, shake him, and ask if the truth is important to him then why does he obfuscate and waste time in every hearing?

Why not, instead become a champion for expeditiously getting to the bottom of all the allegations?

Why isn’t HE asking Hillary Clinton questions like, “WHY does it take an FBI investigation to get the information that this Committee requested two years ago? WHY, Mrs. Clinton have you been hiding material and wasting the tax payer’s money by confounding and drawing this hearing out? WHY Mrs. Clinton are we STILL here having to tease the facts out of you, your staff, and even the State Department?”

Both parties should be asking those kinds of questions, not playing partisan politics.

It shouldn’t matter which color pill you’re taking, truth and reality should trump either of them.

Not a “Hero”

kimdavis1

Kim Davis is not a hero, no matter what the religious right or ultra conservatives say.

She is a very narrow minded person who is a classic case of a person living in a glass house throwing stones.

She’s a hypocrite and spectacular failure at marriage, not to mention an adulteress and obvious fornicator, both I should point out were punished harshly under biblical law.

When she starts spouting about religion, and God, and all that stuff, all I can think is that she’s damn lucky she’s living in the United States now. Just a hundred years ago she’d have been in a much different circumstances. Even today if she where in the middle east she’d be stoned.

kimdavis2

Mrs. Davis is in jail for defiance of the law, and rightfully so.

She defied multiple court rulings and a direct order from the governor of the state. I argue that she should have been FIRED for failure to do her job and obstructing others in her office in the completion of their jobs.

Mrs. Davis as a public official is required to execute the lawful duties of her position. She can take vacation time to picket a law she doesn’t agree with. She can speak out against the law. She can hold prayer vigils, and light candles. She’s welcome to handle rattlesnakes and scorpions and spiders, while asking God to make the gay go away, for all I care.

kimdavis3

What she CANNOT do is pick and choose which laws she will obey. She’s not allowed to look at her job as a buffet.

As I was thinking about it,  I pictured that if Mrs. Davis were not the clerk, and instead the clerk had been a devout old school Catholic,  Mrs Davis wouldn’t have been issued a marriage license due to religious reasons.  Think about it, In the eyes of the church she wouldn’t be divorced unless her former marriage(s) were annulled.  Henry VIII had the same problem, the Catholic church’s refusal to grant him divorces resulted in several murders and the creation of the Church of England.

supremecourt

Had my hypothetical situation occurred, Mrs. Davis would have been screaming bloody murder about the violation of her legal rights, by a religious zealot. It’s doubtful that anyone would be rallying to a Catholic clerk jailed for refusal to issue marriage licenses to a known adulterous person. That whole religious argument cuts both ways. 

Neither Mrs Davis, or any of the other people across the nation, refusing to issue marriage licenses or perform their legal duties are heroic, they’re misguided hypocrites using religion to selectively deny a specific group of people the ability to enter into a contract. 

Yes! It’s a contract nothing more.

contract

The contract put simply says “We’re gonna share everything equally, if you die it’s all mine, if I die it’s all yours.” This contract is freely entered into, and broken thousands of times a day. There is nothing special or divine about it except the specialness the participants bring to their joining and that the state (the government) recognizes and enforces the financial aspects of the contract.

The state was essentially providing privileged status, (which was otherwise unavailable to non members of the class), to selected  members of the population. If that’s not segregationist and unfair I don’t know what is.

The minute GLBT soldiers were accepted in the military, the government had a problem. Two service people married in a state which allowed same sex marriage were entitled to survivors benefits. But if that couple was transferred to a state which did not recognize same sex marriage, what is their status then?

Can you prosecute under the UCMJ adultery in a state where to gay people aren’t legally married anymore? Does the military still pick up the tab for spousal healthcare? Are survivor benefits still payable?

whatmarriageis

The legal wrangling could have, and probably would have, gone on for years. The governments only logical choices were to forbid same sex relationship in the military, OR simply allow any two consenting adults to be married. The court decided in favor of the simplest, fairest, and most direct solution based on common sense.

We’re all equal under the law. Marriage is an important aspect of many people’s lives, we should all be allowed to participate equally in every aspect of our society.

If these hypocritical religious people were really smart, they’d be going to school to become wedding planners and divorce attorneys. I have a feeling these will be the next growth industries.


Fired

Since I started writing this I noticed that Mrs. Davis has doubled down on her stupidity. Now she’s asking the 6th circuit to exempt her from following the law and the governor’s orders.

Why the hell doesn’t someone relieve her of her JOB? That would spare her from all the pain to her soul and spare those of us who call the South Home, and specifically those of us who grew up in Kentucky continued embarrassment.

Can’t take it anymore…

IBM PC XT

I’ve been pointedly ignoring all the bullshit about Trump, the billion or so goofball Republican candidates, Megan Kelly (Who the hell is she?) And Hillary freakin Clinton.

I can’t remain silent anymore.

Hillary Clinton should be in Leavenworth, in a deep dark hole of a cell, shackled and awaiting trial. The FBI should have picked her happy ass up wherever the hell she was on the campaign trail the moment it was discovered that she had sent classified material over her private little server.

Hillarys Email Server

I’m not talking about material that has since been classified, or material that has been declassified, because there is no distinction. The business of the State department of the United States of America, should by default be considered Confidential if not Classified from the get-go. That’s why the United States has a whole bunch of Operational Security specialists, and requires employees and contractors to be re-certified in Operational Security every six months to a year, (Depending on the materials employees are handling,) just to keep it straight. And the rule of thumb is ASSUME a document is Classified and you’ll never go wrong. 

Classified

Which means this private email server should never have been allowed to exist. Innumerable agencies within the government who are charged with maintaining the security of the United States had to know about this server, its location, and its security status. They were told to “ignore it” because… why?

If I’d done what Hillary did… I’d be lucky to be sitting in Leavenworth. I think it’s more likely I’d have been sent someplace really nasty, provided the government didn’t put me on trial for treason then shoot me.

Leavenworth Penitentiary

I don’t think treason can be proven but the government tends to “over charge” in this kind of litigation because they want to make sure you don’t get off on a technicality.

One only has to look at the case of Aaron Swartz as example.  

Aaron Swartz

Swartz was simply making academic articles available via a P2P network from JSTOR and the issue had been settled between JSTOR and Swartz when the Federal Government stepped in.  Once involved, the Feds slapped Swartz with 13 criminal charges carrying a potential 35 years in prison and 1 million in fines. The case was pending when Swartz killed himself. By the way, most if not all, of the information Swartz distributed, was free, and still is today. I think the majority of Swartz’s crime was that he used the P2P distribution system to bypass JSTOR’s requirement for you to be a registered subscriber. I’m not clear on if he was costing JSTOR money.

So here we have a guy who’s maybe costing someone a little cash.

Hillary Clinton

Then we have Hillary who, for her own convenience hired a company that appears to have been unvetted by the US government, whose employees were apparently not subject to background security checks, to set up a server outside the control of the US government, handling Classified material and emails from one of the highest levels of the US government.

As the onion got peeled Hillary denied that classified emails were on the server. (Turns out there were classified emails on the server.) Hillary then said SHE decided what was important to turn over to the government, and deleted the rest of the information. Uhh that’s not how this works ma’am.  Now we’re finding out that the security of the server is in question. (Was there encryption? Who had physical access to the machine?)

Hillary Clinton

Hummm. IS IT JUST ME?

I thought rules and the law were supposed to apply equally to everyone. Yet here we have a clear example of someone who is not only above the law and social constructs, but they are still running a campaign to become President!

For God’s sake people, we’ve burned other politicians down for far less.

It’s well past time to force Hillary out of the Presidential Race.

This is not the kind of elitism we need in our government. We don’t need another liar in the White House. We don’t need yet another person in office who doesn’t understand and obey the rules.

I admit, I look forward to Hillary’s arrest for Contempt of Congress. That will be a day to be watching CSPAN.

 

Thrilling! Thank you OPM!

OPMI kept hearing about the data breach at the OPM. I thought to myself, “no big deal,” because I’ve never been a government employee. But then one of the articles I read spoke about a particular form. The form number seemed familiar.

Out of curiosity I checked my encrypted drive.

AHHHH SHIT!!!!

Yep, that’s a form I filled out while I was working for a government contractor.

DAMN! Checking some of the other forms and sure enough! There’s a TON of information that I provided to my employer. I’m sure that that information got sent at some point to the OPM, and is now in the hands of the Chinese.

I’m sitting here looking at my encrypted volume that contains this information thinking a couple of things.

CybersecurityFirst, I’m wondering why I take the security of this information so seriously? Why is it that I’ve spent the money to secure my data and theirs (some of the information contained in the forms I filled out for them also contains information that relates directly to THEIR projects) and am mindful of what data I have “live” on my system and what data I keep in cold storage? Cold storage in my life is something (like a drive) that is archival, MUST be turned on or attached directly to my computer and is encrypted.

Second, If I can secure my data with COTS (Commercial Off The Shelf) software why can’t our government?

Third, Why is the United States Government data vulnerable in the first place? We KNOW the safest computers are computers which are not connected to a network. Granted, that’s impractical because the government must share data.

Hearings

BUT  it is possible to isolate critical subsystems. One way to do that, don’t allow employees to transport any data offsite. No USB memory sticks or other media, and laptops are available only to those employees who absolutely need mobility. Employees using those laptops have VPN access to the corporate systems and for the most part those laptops when connected to the corporate VPN are Terminals in the old school meaning of terminals. ie dumb as a rock.

The point I’m making here is that the need for computer & network security isn’t new.  So why the hell hasn’t our government kept up with the needs for security?

Having seen the way government contracts work, I have a guess.

redtape

Imagine a situation where a bunch of cooks get in the soup and specify all manner of equipment down to the smallest detail. Once finished,  the specification goes from committee to committee and after a year or two the spec is approved, money is appropriated and the funds become available.

Our happy IT guys call a government approved vendor of equipment, and are told that equipment isn’t available anymore. Or worse yet, the equipment or software can be purchased but now it’s a custom build and will be 50% more expensive than the original product and by the way have significantly fewer capabilities than current off the shelf products costing significantly less than the originally specified equipment or software originally sold for.

Old terminal

So in the one case the specification process starts over again. In the other case the “approved equipment” is less capable,  yet more expensive, than the machine a hacker in China purchased on the internet yesterday.

Rather than the committees addressing the fundamental problem in terms of appropriations and approvals they’re content to keep failing. Meanwhile the security of government systems continues to fall further and further behind.

This isn’t a partisan issue. Regardless of what the administration might say. This is an epic systemic failure on the part of an entity that has access to all of our private data. A.K.A The United States Government.

UNIVAC

How do you solve this problem?

The simplest way is to allow the IT people, The REAL IT people, not the morons that built the healthcare.gov site, say “we need a router and after figuring out which is the best unit for the money… They BUY IT!

That should go for a single router or a RACK of routers.

Does Dianne Freakin Feinstein have a clue about the difference between a CISCO and a Barracuda? NO!

So why are people like Feinstein reviewing and voting on these appropriations bills or worse yet wasting time and money having hearings about shit they’ll never understand, when they should be letting the professionals do the job? You can tell pretty darn fast if an IT dept. is pissing money away and a quarterly budget review (again by IT pros who know what’s needed and what it costs) would keep the expenditures in check and at the same time maintain security.

I’ve got another dose of BAD news for you dear reader…

JihadiHacker

The longer our leaders put off fixing the government IT infrastructure, the more expensive it’s going to be.

Think about putting off having your brakes fixed on your car.

Brake pads cost $45 a wheel, Brake ROTORS cost $1000 a wheel. Most of us average folks learn the hard lesson, it’s always better to spend the $180 rather than spending the $1180. We all learn it once!

We never make that mistake again unless we’re wealthy, elitist,  over-educated, dumbasses.

Unfortunately, most of our politicians are the latter kind of people not the former.


Update 2015 06 19

As more comes out about this breach, I think it’s clear that the government IT people are not up to the challenge.

Here is a line to an ars Technica article titled Encryption “would not have helped at OPM says DHS official”

Below is the article minus the video.


Encryption “would not have helped” at OPM, says DHS official

archuleta-opm-640x359

Office of Personnel Management Director Katherine Archuleta would be happy to discuss the particulars of the OPM brief with Congress—in a classified briefing.

CSPAN

During testimony today in a grueling two-hour hearing before the House Oversight and Government Reform Committee, Office of Personnel Management (OPM) Director Katherine Archuleta claimed that she had recognized huge problems with the agency’s computer security when she assumed her post 18 months ago. But when pressed on why systems had not been protected with encryption prior to the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, she said, “It is not feasible to implement on networks that are too old.” She added that the agency is now working to encrypt data within its networks.

But even if the systems had been encrypted, it likely wouldn’t have mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta and OPM Chief Information Officer Donna Seymour, “You failed utterly and totally.” He referred to OPM’s own inspector general reports and hammered Seymour in particular for the 11 major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM’s own IT department. “They were in your office, which is a horrible example to be setting,” Chaffetz told Seymour. In total, 65 percent of OPM’s data was stored on those uncertified systems.

Chaffetz pointed out in his opening statement that for the past eight years, according to OPM’s own Inspector General reports, “OPM’s data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information.”

When Chaffetz asked Archuleta directly about the number of people who had been affected by the breach of OPM’s systems and whether it included contractor information as well as that of federal employees, Archuleta replied repeatedly, “I would be glad to discuss that in a classified setting.” That was Archuleta’s response to nearly all of the committee members’ questions over the course of the hearing this morning.

At least we found it

Archuleta told the committee that the breach was found only because she had been pushing forward with an aggressive plan to update OPM’s security, centralizing the oversight of IT security under the chief information officer and implementing “numerous tools and capabilities.” She claimed that it was during the process of updating tools that the breach was discovered. “But for the fact that OPM implemented new, more stringent security tools in its environment, we would have never known that malicious activity had previously existed on the network and would not have been able to share that information for the protection of the rest of the federal government,” she read from her prepared statement.

Dr. Ozment reiterated that when the malware activity behind the breach was discovered, “we loaded that information into Einstein (DHS’ government-wide intrusion detection system) immediately. We also put it into Einstein 3 (the intrusion prevention system currently being rolled out) so that agencies protected by it would be protected from it going forward.”

But nearly every question of substance about the breach—which systems were affected, how many individuals’ data was exposed, what type of data was accessed, and the potential security implications of that data—was deferred by Archuleta on the grounds that the information was classified. What wasn’t classified was OPM’s horrible track record on security, which dates back at least to the George W. Bush administration—if not further.

A history of neglect

During his opening statement, Chaffetz read verbatim from a 2009 OPM inspector general report that noted, “The continuing weakness in OPM information security program results directly from inadequate governance. Most if not all of the [information security] exceptions we noted this year result from a lack of leadership, policy, and guidance.” Similar statements were read from 2010 and 2012 reports, each more dire than the last. The OPM Office of the Inspector General only began upgrading its assessment of the agency’s security posture in its fiscal year 2014 report—filed just before news of a breach at a second OPM background investigation contractor surfaced.

Rep. Will Hurd (R-Texas), a freshman member of Congress, told the OPM executives and the other witnesses—DHS’ Ozment, Interior Department CIO Sylvia Burns, the new US CIO Tony Scott, and OPM Assistant Inspector General Michael Esser— that “the execution on security has been horrific. Good intentions are not good enough.” He asked Seymour pointedly about the legacy systems that had not been adequately protected or upgraded. Seymour replied that some of them were over 20 years old and written in COBOL, and they could not easily be upgraded or replaced. These systems would be difficult to update to include encryption or multi-factor authentication because of their aging code base, and they would require a full rewrite.

seymour-opm-640x359

Enlarge / OPM CIO Donna Seymour said that systems couldn’t simply have encryption added because some of them were over 20 years old and written in COBOL.

Personnel systems have often been treated with less sensitivity about security by government agencies. Even health systems have had issues, such as the Department of Veterans’ Affairs national telehealth program, which was breached in December of 2014. And there have been two previous breaches of OPM background investigation data through contractors—first the now-defunct USIS in August of last year, and then KeyPoint Government Solutions less than four months later. Those breaches included data about both government employees and contractors working for the government.

But some of the security issues at OPM fall on Congress’ shoulders—the breaches of contractors in particular. Until recently, federal agents carried out background investigations for OPM. Then Congress cut the budget for investigations, and they were outsourced to USIS, which, as one person familiar with OPM’s investigation process told Ars, was essentially a company made up of “some OPM people who quit the agency and started up USIS on a shoestring.” When USIS was breached and most of its data (if not all of it) was stolen, the company lost its government contracts and was replaced by KeyPoint—”a bunch of people on an even thinner shoestring. Now if you get investigated, it’s by a person with a personal Gmail account because the company that does the investigation literally has no IT infrastructure. And this Gmail account is not one of those where a company contracts with Google for business services. It is a personal Gmail account.”

Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what’s new?'”

Given the scope and duration of the data breaches, it may be impossible for the US government to get a handle on the exact extent of the damage done just by the latest attack on OPM’s systems. If anything is clear, it is that the aging infrastructure of many civilian agencies in Washington magnify the problems the government faces in securing its networks, and OPM’s data breach may just be the biggest one that the government knows about to date.


<END>