Thrilling! Thank you OPM!

OPMI kept hearing about the data breach at the OPM. I thought to myself, “no big deal,” because I’ve never been a government employee. But then one of the articles I read spoke about a particular form. The form number seemed familiar.

Out of curiosity I checked my encrypted drive.

AHHHH SHIT!!!!

Yep, that’s a form I filled out while I was working for a government contractor.

DAMN! Checking some of the other forms and sure enough! There’s a TON of information that I provided to my employer. I’m sure that that information got sent at some point to the OPM, and is now in the hands of the Chinese.

I’m sitting here looking at my encrypted volume that contains this information thinking a couple of things.

CybersecurityFirst, I’m wondering why I take the security of this information so seriously? Why is it that I’ve spent the money to secure my data and theirs (some of the information contained in the forms I filled out for them also contains information that relates directly to THEIR projects) and am mindful of what data I have “live” on my system and what data I keep in cold storage? Cold storage in my life is something (like a drive) that is archival, MUST be turned on or attached directly to my computer and is encrypted.

Second, If I can secure my data with COTS (Commercial Off The Shelf) software why can’t our government?

Third, Why is the United States Government data vulnerable in the first place? We KNOW the safest computers are computers which are not connected to a network. Granted, that’s impractical because the government must share data.

Hearings

BUT  it is possible to isolate critical subsystems. One way to do that, don’t allow employees to transport any data offsite. No USB memory sticks or other media, and laptops are available only to those employees who absolutely need mobility. Employees using those laptops have VPN access to the corporate systems and for the most part those laptops when connected to the corporate VPN are Terminals in the old school meaning of terminals. ie dumb as a rock.

The point I’m making here is that the need for computer & network security isn’t new.  So why the hell hasn’t our government kept up with the needs for security?

Having seen the way government contracts work, I have a guess.

redtape

Imagine a situation where a bunch of cooks get in the soup and specify all manner of equipment down to the smallest detail. Once finished,  the specification goes from committee to committee and after a year or two the spec is approved, money is appropriated and the funds become available.

Our happy IT guys call a government approved vendor of equipment, and are told that equipment isn’t available anymore. Or worse yet, the equipment or software can be purchased but now it’s a custom build and will be 50% more expensive than the original product and by the way have significantly fewer capabilities than current off the shelf products costing significantly less than the originally specified equipment or software originally sold for.

Old terminal

So in the one case the specification process starts over again. In the other case the “approved equipment” is less capable,  yet more expensive, than the machine a hacker in China purchased on the internet yesterday.

Rather than the committees addressing the fundamental problem in terms of appropriations and approvals they’re content to keep failing. Meanwhile the security of government systems continues to fall further and further behind.

This isn’t a partisan issue. Regardless of what the administration might say. This is an epic systemic failure on the part of an entity that has access to all of our private data. A.K.A The United States Government.

UNIVAC

How do you solve this problem?

The simplest way is to allow the IT people, The REAL IT people, not the morons that built the healthcare.gov site, say “we need a router and after figuring out which is the best unit for the money… They BUY IT!

That should go for a single router or a RACK of routers.

Does Dianne Freakin Feinstein have a clue about the difference between a CISCO and a Barracuda? NO!

So why are people like Feinstein reviewing and voting on these appropriations bills or worse yet wasting time and money having hearings about shit they’ll never understand, when they should be letting the professionals do the job? You can tell pretty darn fast if an IT dept. is pissing money away and a quarterly budget review (again by IT pros who know what’s needed and what it costs) would keep the expenditures in check and at the same time maintain security.

I’ve got another dose of BAD news for you dear reader…

JihadiHacker

The longer our leaders put off fixing the government IT infrastructure, the more expensive it’s going to be.

Think about putting off having your brakes fixed on your car.

Brake pads cost $45 a wheel, Brake ROTORS cost $1000 a wheel. Most of us average folks learn the hard lesson, it’s always better to spend the $180 rather than spending the $1180. We all learn it once!

We never make that mistake again unless we’re wealthy, elitist,  over-educated, dumbasses.

Unfortunately, most of our politicians are the latter kind of people not the former.


Update 2015 06 19

As more comes out about this breach, I think it’s clear that the government IT people are not up to the challenge.

Here is a line to an ars Technica article titled Encryption “would not have helped at OPM says DHS official”

Below is the article minus the video.


Encryption “would not have helped” at OPM, says DHS official

archuleta-opm-640x359

Office of Personnel Management Director Katherine Archuleta would be happy to discuss the particulars of the OPM brief with Congress—in a classified briefing.

CSPAN

During testimony today in a grueling two-hour hearing before the House Oversight and Government Reform Committee, Office of Personnel Management (OPM) Director Katherine Archuleta claimed that she had recognized huge problems with the agency’s computer security when she assumed her post 18 months ago. But when pressed on why systems had not been protected with encryption prior to the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, she said, “It is not feasible to implement on networks that are too old.” She added that the agency is now working to encrypt data within its networks.

But even if the systems had been encrypted, it likely wouldn’t have mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta and OPM Chief Information Officer Donna Seymour, “You failed utterly and totally.” He referred to OPM’s own inspector general reports and hammered Seymour in particular for the 11 major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM’s own IT department. “They were in your office, which is a horrible example to be setting,” Chaffetz told Seymour. In total, 65 percent of OPM’s data was stored on those uncertified systems.

Chaffetz pointed out in his opening statement that for the past eight years, according to OPM’s own Inspector General reports, “OPM’s data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information.”

When Chaffetz asked Archuleta directly about the number of people who had been affected by the breach of OPM’s systems and whether it included contractor information as well as that of federal employees, Archuleta replied repeatedly, “I would be glad to discuss that in a classified setting.” That was Archuleta’s response to nearly all of the committee members’ questions over the course of the hearing this morning.

At least we found it

Archuleta told the committee that the breach was found only because she had been pushing forward with an aggressive plan to update OPM’s security, centralizing the oversight of IT security under the chief information officer and implementing “numerous tools and capabilities.” She claimed that it was during the process of updating tools that the breach was discovered. “But for the fact that OPM implemented new, more stringent security tools in its environment, we would have never known that malicious activity had previously existed on the network and would not have been able to share that information for the protection of the rest of the federal government,” she read from her prepared statement.

Dr. Ozment reiterated that when the malware activity behind the breach was discovered, “we loaded that information into Einstein (DHS’ government-wide intrusion detection system) immediately. We also put it into Einstein 3 (the intrusion prevention system currently being rolled out) so that agencies protected by it would be protected from it going forward.”

But nearly every question of substance about the breach—which systems were affected, how many individuals’ data was exposed, what type of data was accessed, and the potential security implications of that data—was deferred by Archuleta on the grounds that the information was classified. What wasn’t classified was OPM’s horrible track record on security, which dates back at least to the George W. Bush administration—if not further.

A history of neglect

During his opening statement, Chaffetz read verbatim from a 2009 OPM inspector general report that noted, “The continuing weakness in OPM information security program results directly from inadequate governance. Most if not all of the [information security] exceptions we noted this year result from a lack of leadership, policy, and guidance.” Similar statements were read from 2010 and 2012 reports, each more dire than the last. The OPM Office of the Inspector General only began upgrading its assessment of the agency’s security posture in its fiscal year 2014 report—filed just before news of a breach at a second OPM background investigation contractor surfaced.

Rep. Will Hurd (R-Texas), a freshman member of Congress, told the OPM executives and the other witnesses—DHS’ Ozment, Interior Department CIO Sylvia Burns, the new US CIO Tony Scott, and OPM Assistant Inspector General Michael Esser— that “the execution on security has been horrific. Good intentions are not good enough.” He asked Seymour pointedly about the legacy systems that had not been adequately protected or upgraded. Seymour replied that some of them were over 20 years old and written in COBOL, and they could not easily be upgraded or replaced. These systems would be difficult to update to include encryption or multi-factor authentication because of their aging code base, and they would require a full rewrite.

seymour-opm-640x359

Enlarge / OPM CIO Donna Seymour said that systems couldn’t simply have encryption added because some of them were over 20 years old and written in COBOL.

Personnel systems have often been treated with less sensitivity about security by government agencies. Even health systems have had issues, such as the Department of Veterans’ Affairs national telehealth program, which was breached in December of 2014. And there have been two previous breaches of OPM background investigation data through contractors—first the now-defunct USIS in August of last year, and then KeyPoint Government Solutions less than four months later. Those breaches included data about both government employees and contractors working for the government.

But some of the security issues at OPM fall on Congress’ shoulders—the breaches of contractors in particular. Until recently, federal agents carried out background investigations for OPM. Then Congress cut the budget for investigations, and they were outsourced to USIS, which, as one person familiar with OPM’s investigation process told Ars, was essentially a company made up of “some OPM people who quit the agency and started up USIS on a shoestring.” When USIS was breached and most of its data (if not all of it) was stolen, the company lost its government contracts and was replaced by KeyPoint—”a bunch of people on an even thinner shoestring. Now if you get investigated, it’s by a person with a personal Gmail account because the company that does the investigation literally has no IT infrastructure. And this Gmail account is not one of those where a company contracts with Google for business services. It is a personal Gmail account.”

Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what’s new?'”

Given the scope and duration of the data breaches, it may be impossible for the US government to get a handle on the exact extent of the damage done just by the latest attack on OPM’s systems. If anything is clear, it is that the aging infrastructure of many civilian agencies in Washington magnify the problems the government faces in securing its networks, and OPM’s data breach may just be the biggest one that the government knows about to date.


<END>

Maybe Jeb is the better Candidate…

NewImage

I doubt he can overcome the Media and the family’s legacy.

Look, during George H Bush’s presidency, there were a lot of questions. Followed by 8 years of the Clintons. Then we had George W Bush for 8 years during which there were many questions, and honestly a never ending drone of main stream media pundits bitching about his presidency. 

There are a couple of things that I admit I liked about George W. He knew how to respect and honor the Servicemen in his security detail. He brought back uniformed military at the doors to the White House which the Clintons had mostly done away with. 

NewImage

Initially, on 9/11 I thought he was an ass because he continued his visit in that classroom. In retrospect I think I admire it.

If he’d jumped up and run out of the classroom, those kids would have thought they’d done something wrong. As President, George W would know that his people were collecting data, and trying to figure out what was going on, how big a threat we were dealing with etc. He’d be privy to any and all information if he was on AirForce One or in a classroom finishing a visit with children.

George W has passed mostly out of the public eye, I’ve noticed news articles from Texas describing his charity work with veterans and what appears to be a more relaxed George W. being a decent human being. I’ve grown to like him.

The problem is, Jeb Bush will never be able to step out of his Father and Brothers shadows. No matter what decision he makes about anything, he’ll always be compared to them. There will always be people assuming that he’s the avatar of the elder Bush’s.

NewImage

My mother had an intense dislike for Jeb Bush while he was Governor of Florida. She really hates Rick Scott and refers to him as Valdemort.

I think Mom hated Jeb primarily because he was about controlling government spending and improving education without raising taxes to do it.

That meant that the administrators in the Florida schools wouldn’t reduce their salaries or refuse to take a raise but they would instead make sure that the teachers didn’t get raises and that classroom supplies would be in short supply. The administrators would then tell the teachers it was because of “budget cuts”.

The thing is, “budget cut” implies money is being taken away. Not allocating MORE money to a budget is not a cut, its keeping the budget constant. Why do the media and many Democrats describe keeping the budget flat as a cut?

NewImage

Looking at Jeb’s record on Wikipedia I don’t think he was all that bad a Governor.

He reduced taxes, reduced the size of the state government vetoed 2 Billion in new spending, (a large part of which was a high speed rail boondoggle), and increased Florida’s financial reserves from 1.3 Billion to 9.8 billion.

My Mom was probably upset as an educator that he vetoed 6 million in grants to public library pilot projects to create homework centers, and create web based high school texts in Tampa.

Given that we’ve seen how horribly wrong that kind of thing can go in the Los Angeles Unified School District iPad debacle, perhaps Jeb was right. 

He used his line item veto to stop that pilot program, maybe the documentation he read about the project led him to believe that it would be money wasted. It didn’t mean that he’d never support a similar program. It meant he didn’t think that particular program was a good investment.

NewImage

The really sad thing is after reading his history, and the things that he’s championed, I’ve begun to think Jeb might actually make a good President. 

I just don’t want to hear the incessant bullshit about him being a “Puppet” or an extension of the Bush Dynasty for the next 5 years. 

Perhaps we need someone completely new, and unknown. Someone with vision and who’s committed to hope and change.

OH WAIT! We’ve been down that road already TWICE.

This country is without question more racist and divided than I can remember since the 60’s. Due in part to all that “Hope and Change”.

Maybe Jeb should be given another look, no matter what the assholes in the main stream media say.

One alternative is that you could elect me as President!

If the newscasters are freaking out about Jeb now… Wait ‘till they get a load of me!

Muhahahahahahahaha!

Old Stompy Foot is at it again

NewImage

I don’t admire the President’s policies or politics.

I do admire his single-mindedness of agendas. He managed to ram Obamacare down our throats apparently by capitalizing on weaknesses of the American people as Identified by Jonathan Gruber. 

Now, Ol Stompy is at it again. 

This time he’s intending to bypass Congress with an Amnesty plan which just a year ago he said wasn’t amnesty. We all know what this is and it’s got nothing to do with more voters, or helping the “Poor” immigrants. This is 100% about vindictiveness.

Obama ESB

The Democrats lost the midterm and got spanked pretty soundly. Stompy, is pissed off and he’s going to do everything in his power to punish the evil bastard conservative, American voters. Isn’t that what his whole administration has been built on?

Just look at the scandals

NSA — Spying on Americans (I’ll grant you that started after 9/11 but it shouldn’t have been continued.)

Weaponized IRS — Yeah Nixon was the first one to try that… As I recall that was part of what cost him the Presidency.

Isolation of certain members of the press for asking the wrong questions… Then subsequent investigation of those poor dumbasses by both the IRS and NSA. 

Now he’s talking about a flood of immigrants. Sure he’s going to say it’s just the folks who are already here.

But we all know that the flood gates will open and everyone will scramble to cross the border.  There will no doubt be a period of 30 to 60 days before the executive order takes effect, which will result in 1000s more unskilled people crossing the border. I mean how many gardeners, waiters, or fast food workers do we actually need?

(As an aside, when I wrote the line above, I thought, “jeezus man that’s a racist thing to say.” But I suppose if The President can refer to latinos as maids and fruit pickers I guess I’m not as far off as I thought I was. The irony is that when I was very, very, young in the South, we had orange groves and pecan groves full of migrant workers who happened to be black.)  

Of course The Presidents comment underscores for me just how out of touch he is with the average American. Maid? Really? I and most of the middle class wouldn’t know what to do with a maid if our lives depended on it. Hell, I can see myself cleaning up the house before the maid came in just so I wouldn’t be completely mortified. 

Maid? Yeah, right! Even when I was employed I had other things to spend my hard earned money on. Most of the time I was spending money just to make ends meet. I do my own yard work, make my own bed, cook my own food, and clean my own damn house, Mr President. I don’t come from the elitist background you apparently do.

Further, as I’ve asked before, what about the American kids of all stripes looking for that first job? Oh yeah, they don’t matter.

This seems to be all about reducing America to it’s knees, or creating a huge permanent Democratic voting block, or creating such racial polarization that the country tears itself apart. 

Does nationwide martial law suspend presidential elections?

Maybe this is just another stepping stone in Obama’s path to become a de-facto king.

Just one of those dark thoughts that flits through my mind sometimes.

By now you’ve heard…

Phyrewall 2014 Nov 06

Unless you’ve been living under a rock you’ve heard that the Democratic Party has lost control of the Senate. They lost control of the House a while ago. Now it looks like the people have spoken again.

I for one am glad to see it. 

Personally I’d hoped that The President would take notice and realize that this was the voice of the American people. I’d hoped that he would take it as a sign that We the People aren’t behind his agendas and that he couldn’t bully us or Congress into compliance.

Then I listened to his press conference yesterday. 

WOW!

Sad to say, The President still doesn’t see that deeply unpopular policies lead to loss of votes. Heck, all The President had to do was look at the Bush years. But apparently, he’s not one to pay much attention to history.

President Obama

The President will in all likelihood spend the remaining two years of his term as a lame duck. I doubt that he will be able to reconcile the rift that he helped to create between himself and the Republican party.

I do expect a flurry of activity on the part of the outgoing Congress designed to make the next Congress’s job much more difficult. I suspect that the Democrats will attempt to enact laws, change rules, and put various regulations in place to thwart any speedy changes when Congress resumes session in January.

Once those obstructions are cleared, I expect that we’ll see many new laws and modifications of old laws which will make the Republicans look like they’re very productive. The problem is, a lot of that “work” will probably be stuff the House voted on and sent to Harry Reid which then sat on his desk for who knows how long.

While the transition is going on, I expect The President to sign everything he can get his hot little hands on into law under executive privilege. 

I know, The President supposedly hasn’t used his executive privilege as much as his predecessor, but it’s not the NUMBER of times it’s the character of the use. Bush could have issued executive order that the White House toilet paper must be linen not paper. (That would be extravagant and wasteful but not criminal) The President has used executive privilege in ways that come very close to violating the Constitution.

CNN

So absolute numbers of Executive orders doesn’t really capture the tenor of the orders themselves, and is therefore an invalid measure.

I know, that will come as a surprise and disappointment to the talking heads in the Main Stream Media.

I’ve been enjoying the show the MSM has put on over this rout of the Democratic Party.

Watching Al Sharpton’s inarticulate grunting on MSNBC is worth having to throw my TV out after sullying it with MSNBC’s broadcast.

CNN was hysterically funny and their talking heads were stunned almost into silence as state after state reported Republican victories in Congressional seats and Gubernatorial races.

FrancesSalerno1 2014 Nov 06

I can understand the stunned silence, after all if you really believe that America is such a dark and terrible place it’s pretty much inconceivable that the party representing the right hand of Satan and all the ills besetting the country would be voted into office.

In some ways I almost feel sorry for the democrats.

They really, took a …. Well you know.

Election Day!

Gadsden Flag

Just a few more hours and the mud slinging will stop.

I don’t think mud slinging is a strong enough term, outright character assassination is more what these people are doing.

I’ll be very glad when all this is over. 

I’m heading out to vote this afternoon and then I think I’ll come home and watch movies all evening. 

I do wish I had a Gadsden flag T-Shirt. I think it would be appropriate to wear to the Polling place.

Even though this is a stinky election, please everyone go vote! Make your voice heard. It’s important to make our politicians hear us, especially when they get as deaf to their constituents as this lot have.

In the “Bet your butt on a machine,” category…

I have a friend who used to say, “Bet your ass on a machine and you’re going to get screwed.

This is ironic considering that later in his life he, by necessity had to do exactly that, literally! He’s still alive and kicking thankfully.

The reason I thought about my friend, his phrase, and the ATM machine that had just screwed me, is due to reports coming out of Illinois where voting machines have been reported (and recorded) switching votes from Republican to Democratic candidates.

The machines are sentient I tell ya, Next election cycle they’re going to demand full citizenship! Alright I’m taking off my tinfoil hat!

No I’m not that crazy, neither am I a believer that it’s a nefarious plot on the part of the Democrats to steal votes.

It’s a touch screen and while the units should be factory calibrated, it’s possible that a scratch protection screen has been added or replaced which has caused the factory calibration to be invalid.

This isn’t a plot to take over the world by the Democrats, I’d bet if the Republican candidate was the top listing that a vote for the Democratic candidate would be switched in the same fashion.  Of course it would be much bigger news then.

After all it would finally prove to the media and progressives, beyond a shadow of a doubt that Republicans sit at the right hand of Satan and are using their fell powers to take over the world…

It’s Skull & Bones, or the Illuminati I tell ya

Conservatives aren’t the only group who line their baseball caps with tin foil…

Here’s a link to the Breitbart Article and the Video.

 

I hope you al have a marvelous day and don’t forget to review your candidates, propositions, measures, and please make an informed choice at the polls next week. Just because the TV says something is good or bad doesn’t mean it’s so.

Read all the information you can about candidates and in the end, don’t vote for party, or perceived personal gain, vote your heart. Vote for  what you believe will be the best course of action for your country, state, county, and ultimately… Your neighbors.

Our Republic works if we participate.