How much info did hackers steal on US spies? Try all of it If the latest reports are true and Chinese hackers have managed to pilfer as much data about US government employees in sensitive positions as is thought, the Obama administration may be headed for a serious intelligence crisis. According to an Associated Press report on Friday, hackers linked to China may have compromised …
Feel free to fill one out and post it. For people whose major asset is their Facebook account, it might not matter, but it does to the rest of us.
I, for one, have something to hide from hackers: my name, address, and SSN, to start. Not to mention those "verify your identity" questions like high school, street I grew up on, mother's maiden name, etc.
And I'll point out, the forms and other information that was stolen were from people who had passed their security clearance.
Not to mention those "verify your identity" questions like high school, street I grew up on, mother's maiden name, etc.
Those questions are worse than useless since most of it is public information. You graduate high school - it's in the paper, your address was recorded by the registrar of deeds, your parents marriage license is recorded somewhere and their proud parents (your grandparents) undoubtedly had an announcement in the paper. Sure, it's a bit of work but it's all there and when you consider a good number of people still live in the town they grew up in it's quite a bit easier. Kids of career military might be a little harder to pin down if they moved several times but not too much since there are very detailed records of that too.
"most of it is public information"
So it is but for any one person it takes time, effort & expense to locate as anyone interested in genealogy will tell you. You may run into multiple people with the same names and have to devote more time to sorting them out. Having it all neatly laid out by the data subject saves an awful lot.
Throughout the long recorded history of mankind, I've noticed one universal. So long as those who consider themselves one of the "middle-class" are treated well, their lot improving, and their "rights" (social privileges) untrammeled, they go with the program, whatever program has been selected by those (perceived to be) in charge. When that contract is broken, revolution is not far over the horizon.
You can drape this in philosophical, economic, political science, psychological, or other frameworks, it matters not. History is very unforgiving.
Only a moron answers truthfully to those security questions that are a plague on websites everywhere, asking what high school you went to, the name of the street you lived on when you are in third grade, etc. No matter how good of a password you choose, if you answer these questions truthfully you may as well have used "password1" for your password since it takes almost no effort to find many of these answers for the average person and email the "forgot password" link to reset their password.
It is sad that those same questions are used to verify your identity when you try to access your credit report since that's probably already been pulled for all the high value targets on the list, but considering the scale of this breach the ability of the Chinese government to access your credit report is like adding a firecracker to a bonfire.
Guess I'm lucky that even if they got my info the Chinese government wouldn't have any interest in me since my stint as a contractor was nearly a decade ago and I don't have any friends who are Chinese nationals.
No doubt the US has broken into similar databases for most countries in the world, except for those too backward (or too smart?) to have digitized them.
What annoys me about these security question is that banks and others, such as SKY TV/Broadband INSIST that they will only correspond by telephone. I am on an analogue telephone, which can be hacked into by anyone with a pair or crocodile clips, Sky will not give any email address and their web chat then says RING in if you want anything done. Banks respond even to letters, hand written by a phone call to confirm what I wrote, because reading is beyond them. Oh no, you have to ring and to blurt out bits of passwords and those security questions over an open line. Then they transfer you to another department you make you do the whole thing over again. I think I must have given my details to six different people with SKY once. Telstra in Australia no better
"banks and others, such as SKY TV/Broadband INSIST that they will only correspond by telephone"
simple reasons for that:
1) dealing with an enquiry by phone means there is no paper record to scan / read / analyse / action and file. Everything happens and is logged during the call with the operative keying the record there and then
2) companies invest a lot of capital in setting up call centres and they want to sweat the assets - put as much work through them as possible
3) every call to a call centre is a potential sales opportunity. You'd be surprised at how many complaint calls can be reversed into a new sale or upgrade
Sorry this is a diversion from the thread but I felt the point required answering
Be thankful they do.
The "free security" OPM is offering as a result of the breach? Yeah that's right government is distributing the notification in unsigned email asking those who have been affected to go to a website to register. If you have the temerity to call them, they refer you to their website while keeping you on indefinite hold. Absolutely no chance for fraud there sir, none whatsoever.
You have everything to fear...
Because you have no idea how that information will be used today or what inferences will be drawn from it tomorrow, or indeed who your conveniently collated life history will be passed on to - intentionally or unintentionally.
People who suggest you have nothing to hide live in cloud cuckoo land, whereby talentless, unqualified politicians & civil servants don their super-hero capes and upon their white steed coming riding out of the sunset to your rescue.
Dream on.
The simple reality is this, if you genuinely have nothing to hide, then you have nothing worthwhile sharing, so keep your mouth shut and hide as much as possible.
It is funny in many (funny = scary) how information is passed around. I recently had need to log on to UPS (United Parcel Service) which meant "open an account". Instead of my filling in the blanks as I remembered things or wanted to put in... they were asking questions from 20 years ago AND telling me if I got the answer wrong. Needless to say, I didn't open the account, I called instead and quickly rectified the issue. If they are getting wrong data, let 'em have it. The scary part is, what if they were getting it right? Where did it come from? Who else has access to this?
Do I have anything to hide? Just my identity as far as financials go. Do I have anything to fear? You bet. There's already too much out there. I realize it's not "am I going to be a victim?" but rather "when am I going to be a victim?".
Post-snowden, I'd naturally assume these were in some sort of unmaintained and unpatched SharePain server.
If you have nothing to hide, you use M$ warez. In other words, if you use any of their products, but don't have the time or budget to constantly sit around to patch and reboot every other day, assume your data will be compromised sooner or later.
If you have nothing to hide, you have nothing to fear.
That's actually not the point of deeper security vetting. Deep security vetting is not a pass/fail process (although the data contributes to a final decision), it is a risk assessment that is actually in your interest.
Such an assessment seeks to discover where an adversary might seek to coerce or pressure you into cooperating, and plan accordingly. It means that some work may be a personal risk to you, or that you may be very suited to some work because you do not have a weak spot there.
As a retired fed, I wanted to clarify something. When people hear "security clearance" they think military and intelligence people but the use of security clearances in the US Government is much more widespread. Many people in positions considered "sensitive" for reasons other than military secrets are required to fill out this form. In addition to text/PDF records, the government also collects digitized pictures and fingerprints (although I don't know if OPM gets those).
One stop shop? In a shop you usually have to pay. Here the Feds have given the data away.
Having said that, I wouldn't put it past the bureaucrats to have allowed this to happen because it can now be used to"justify" a vast increase in offensive operations against China et al, and it gifts them the ultimate budget defence of "of our budget gets cut we won't be able to secure your personal data".
Never forget that the purpose of a bureaucracy is quite singular, and that is to grow and sustain itself even at the expense of the host organism.
Many people in positions considered "sensitive" for reasons other than military secrets are required to fill out this form.
Exactly. Also, the constant refrain from the press on this is that it is all about government employees, but it affects everyone who has filled out one of these forms, including contractors, retirees and those who merely applied for a position but never were hired.
"As a retired fed, I wanted to clarify something. When people hear "security clearance" they think military and intelligence people but the use of security clearances in the US Government is much more widespread. Many people in positions considered "sensitive" for reasons other than military secrets are required to fill out this form. In addition to text/PDF records, the government also collects digitized pictures and fingerprints (although I don't know if OPM gets those)."
I'd read various memoirs of US Govt types mentioning the Draconian application form.
So "Spy" really is a documentary?
And deservedly so... I'm just waiting to hear what else has been lifted like maybe social security information, immigration information, etc. Yes a super massive FAIL to the government for not providing the security the data deserves. Congress is just as much blame as I'm sure they've slashed IT budgets left and right. The want the data slurps but won't protect the people's information.
I fear the worst is yet to come.....
It was not so long ago that one guy looking for UFO information made headlines because he was able to look through a 'secure' US Mil computer. The US said then that their networks were so secure he had to be the worlds master hacker. Now it turns out that almost anyone can walk in and look round any US Gov/Mil computer and take what they want.
This much vaunted 'security' is indeed becoming truly laughable.
Indeed, and it's about time that the US apologised to Mr McKinnon for harassing him over their own failings. It was blindingly obvious at the time that US governemnt security was laughable, yet they still hounded teh poor chap simply because they were embarassed at having their failings exposed and tried to make Mr McKinnon suffer because of their embarassment. That's simply despicable.
No, not the Mil computers, OPM. Trust me on this. My roommate has enough trouble logging into his work computer every day and he's authorized to do so. The secure one? Yeah, that's an even bigger PITA.
The problem is OPM forgot ignored the fact that since those records constitute the underpinnings for the whole security infrastructure, so when collected into a single database it requires one grade above Eyes Only clearance.
I hope that this discovery will lead to questions being asked about the resources being spent on mass surveillance of home and allied populations - i.e. huge data trawls producing low priority information that is mostly just deleted after some period of time.
Just possibly someone might begin to think that a little spending on actual secure systems for the basics like this might be a better idea?
Jaron Lanier writes about 'siren servers' by which he means the way various agencies 'sell' large IT based projects to gullable politicians/corporate managers. Shiny, sound good, but apparently generate little advantage.
PS: if this happened in the UK we would never hear about it of course. Rest assured.
@keithpeter
In the UK they just send CDs of social security data in the post. As you say, they have not admitted that anyone has actually used that information. Also they leave memory sticks in pubs and taxis, but don't admit that.
The UK Treasury clearly did not believe in spending money to protect data about UK citizens. It looks as though the USA has a similar problem.
Thank you, El Reg, for showing me another instance in the seemingly never-ending list of words that Merkins use differently to other English speakers:
"Had your wages garnished?"
My first thought was of my pay packet lightly sprinkled with pepper and a few parsley flakes. It would seem however, that they were referring to what I'd always known as 'garnishee'.
Am I alone here, or do fellow Strine speakers (to say nothing of K1W1s or those from the Mother Country) also know it as 'garnisheed wages'?
This post has been deleted by its author
It's AMEЯICAN ЯEVEЯSAL...
Try to imagine newspeak delivered in some hideous slack-jawed parochial accent.
Garnishing : Taking something away
Officer involved homicide: The filth just shot you
Land of the free: Prison (if you're lucky)
...and so on...
Poor sods have even been made to drive on the wrong side of the road!
Whoops! Forgot the mask. <sarc>Wouldn't want to end up on any lists!</sarc>
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
