Posts by tom dial

Re: Bah!

OPM management requested money and billet authorization over the years based on needs they identified in the budget request process. They never got everything they wished for (with probability not measurably different from 1.0). Yet the reports have it that they added systems without making them secure (and perhaps without knowing where and how they were attached) and reportedly let maintenance slip rather badly, which many might think unwise. The right question of OPM is not whether they received the resources they requested, but how they managed IT with what they received.

In the (DoD) agency where I worked, we received annual reductions in both money and billets, but over the years security was gradually and regularly tightened, systems were inventoried, the network maps timely maintained and an increasingly detailed set of security requirements were applied retroactively as well as prospectively. The retro part sometimes was not fully up to date, but existing systems were patched and new ones were compliant with security configuration requirements before being attached to the LAN. The firewalls were quite exclusionary, to the point of irritating developers excluded from consulting external technical web sites classified as "chat". BYOD was not discussed, remote access was by VPN using government owned and maintained equipment only, and (courtesy of the DoD PKI program) two factor authentication was the only way of access other than at system consoles. Development sometimes suffered from this. All that was as directed by the CIO and his director of security, with full support of the agency directors. And that, I think, made a difference, as successful known penetrations were not known to have occurred as of about three years ago.

It appears that OPM's IT managers have been on indoor annual leave for years. Reports say the OPM doesn't know the systems they have, or how they are connected, and have not done regular patching on some, many, or all of them. If I were updating my resume it would be a tough choice whether to show recent employment there or pretend to have been unemployed since being fired for cause at my previous job.

They almost certainly have been squeezed for resources, but that is not a fully satisfactory excuse for getting priorities so out of whack. I think the risk of losing control of this data, even the SF86 information, has been overstated. However, I can guess that management in pretty much every agency that has employees in sensitive positions is pretty pissed, partly because most of them hunkered down and managed to map their networks and patch their systems on a fairly regular basis under much the same resource constraints.

The OPM operates web applications for federal civil service retiree support, for applicants for federal employment, for completion of security background investigation requests (these are no longer done in paper form), and for at least one other federal agency. In the main, this is a result of an "eGovernment" undertaking begun (I think) under President Bush and continued under President Obama.

Re: Peter principle

Like all of the major department and agency directors, Katherine Archuleta is a political appointee. That said, there is no reason that a political appointee, if supported by competent and experienced civil service executives, cannot be quite successful as director. The problem in this case appears to be that the civil service executives had, for years, been inadequate in IT management matters.

Re: Free services are not free

The technical term for what Foundem and others are doing is "rent seeking" - the expenditure of resources in order to bring about an uncompensated transfer of goods or services from another person or persons to one's self as the result of a “favorable” decision on some public policy.

(www.auburn.edu/~johnspm/gloss/rent-seeking_behavior)

Re: Has anyone seen...

The New York Times (June 15) and the Washington Post (June 12) also covered it.

Re: @I've forgotten what I wanted to say...

Indeed so. A decisive majority of many commentariats seems to be innumerate when the subject is related to crime, policing, or national security. They also appear to have forgotten why government is needed, and that the Declaration of Independence and Bill of Rights are not alone a complete description of its purpose and function.

Re: So what's new?

"What isn't allowed is plotting to use violence to do so." Precisely the point of my statement.

Despite all too frequent police and prosecutor misbehavior, there is no meaningful evidence that the US government or any part of it, or any subordinate government, is trying in an organized way to keep people from assembling to discuss, advocate for, or plan change to either the structure or the staffing of any government under the US Constitution - as long as their proposed methods are lawful. That said, it also must be said that advocates of change cannot assume their efforts will be unopposed, and they can and should anticipate pushback from other political parties and government officials they mean to replace. The opposition may sometimes exceed what the law allows. The more radical the proposed change, the more careful and circumspect they should be, and not only or even mostly out of concern for government interference. Airborne surveillance of the Baltimore riots was not "suppression" and that almost certainly is the case with other instances of FBI surveillance that recently have been in the news, just as it probably is for the RCMP's fleet of aircraft.

Re: So what's new?

People do, indeed, have a right to protest; they do not have the right to riot. Contrary to a later assertion, they also do not have a right under the US Constitution to assemble to change the regime or remove particular people from office; for that we have procedures to amend the Constitution, elections, and legal processes. Whether the people have a natural right to change the regime is another matter, rather more interesting and complicated.

Mass surveillance in the form of a circling plane bearing a camera or observer does not infringe the protesters' first amendment rights any more than the presence of police on the ground. It does not even remotely approach a fourth amendment search or seizure. It carries no presumption that anyone is breaking a law or suspected of it, and certainly does not touch on anything mentioned in the fifth amendment. Nothing about it represents unequal application of the law (that would be the fourteenth amendment). And it has nothing at all to do with the NSA (it seems to have been an FBI plane). It is a reasonable and unintrusive way for those responsible for protecting people and property to learn of trouble spots and perhaps manage the response.

I would have hoped any response would be more reasoned.

Re: So what's new?

So you are against use of any method that has the capability to put in view anyone other than a specific target whom they have good reason to suspect is a significant threat, and any surveillance not associated with identified suspects (of criminal activity)? That seems quite unreasonable. The example of Baltimore a few weeks back suggests that general - i. e. "mass" - surveillance may be quite reasonable. In that case there was good reason to suspect that there might be trouble somewhere in a fairly large area, quite possibly caused by random accidental events like an altercation unrelated to the gathering - i. e., no known or identified suspects. In addition, the activity was of a type that is protected by the First Amendment. Law officers are responsible for maintaining order and protecting people and property generally. Should they be prohibited use methods like aerial surveillance, whether by drones or piloted aircraft, to identify places where disorder may be putting either at risk? Why?

State government highway patrols have used planes (mostly Cessnas, I think) to enforce traffic laws and manage traffic problems on major highways for at least thirty or forty years. The probably have used it on occasion for other purposes as well. This mass surveillance seems not to have produced much griping except by those ticketed for violations, this despite the fact that at least the traffic enforcement aspect involved people under no suspicion.

Re: Security from whom?

It is a public key, so concern about the government getting it is pretty much misplaced. In fact, if they weren't in cahoots with the likes of Turbo Tax and H&R Block, the IRS would arrange to allow filing of tax returns (and possibly payments as well) by GPG encrypted and authenticated email.

Whether it is better than HTTPS or not is not clear. PGP in general, and OpenPGP in particular, have not had the number of major protocol and implementation flaws reported recently for HTTPS. On the other hand, theire use probably is several orders of magnitude less than HTTPS. But on the third hand, those PGP users, as a group, probably care at least as much and have at least as much technical expertise as do those who deploy HTTPS. Of course both actually implement encryption between endpoints of the message content, the endpoints in the case of Facebook notifications being Facebook and the Facebook account holder.

Have to agree, though, that it is most unclear that this improves journalists' security in the least. Facebook seems a rather poor choice for conducting conversations you would want kept private.

The telephone metadata included cell phones; Revelation One, as I recall it, was the FISC order to Verizon for business cell phone records.

Re: Problem is already solved.

That assumes something quite unlikely, that GCHQ has physical access to US telephone metadata, or the ability to compel its delivery to them. The Section 215 metadata program that looks like being terminated is implemented by court orders that compel carriers to deliver call records to the government. It is not a "slurp" in anything like the sense of, say, the XKEYSCORE program, which will continue to be entirely lawful (under US law).

Re: Nobody says they're violating the law

Correct as to fact, I think, and certainly defensible as to the conclusion. The only thing I would add is that a government executive or legislator desiring reelection normally will be quite concerned about the possibility of being seen as partly responsible for bad events like terrorist attacks. In particular, they would worry about being blamed if it should appear after the fact (but before the next election) that it could have been prevented but for intelligence information missed, due to failure to obtain or insufficient funding or staffing to analyze. As happened in the US after the September 11, 2001 attacks.

The more recent uproar over signals surveillance should give them pause to consider other aspects of policy and law, and may lead to a better balance overall, but it will not entirely suppress the concern that they should be seen to be in favor of public safety.

Re: Who is really stupid enough to believe this?

While the activities described (in very general terms) may have violated US law, it might also be that it was not. Government agencies may sometimes do lawfully, in international affairs, things forbidden to private sector companies. CIA collection from South African agents of information is unlikely to have violated any US laws, and supplying arms design information and arms for purposes approved by the President might be illegal or not, depending on the details of the arrangements under which it occurred.

Re: Unfortunately

The documents Edward Snowden caused to be released, additional documents the government later declassified and released, and Executive Order 12333 all generally support a claim that the NSA as an agency and its employees care about and attempt, largely successfully, to follow the law as it exists. That is not to say there are not lapses sucha typographical error that resulted in collection of Washington DC calls in place of Egyptian calls, or cases of individual military or civilian employees targeting spouses or dates. It also is not to say that the agency did not seek, and sometimes obtain, expansive interpretations of the law to support what its management saw as its proper mission, or that they did not seek changes to the law to expand their legal authority. Most of the activities reported, however, are consistent with US law as it is, however much it may differ from what some of us think it ought to be, and were known of in some detail and approved by two executive departments and a properly constituted court. I suspect much the same is true, with differences due to law and customs, of the activities of GCHQ, CSEC, DSD, and GCSB.

It is quite reasonable to believe the laws should be changed, and to advocate for that, but it is not reasonable to believe, based on what we know, that the NSA, and probably the other Five Eyes agencies systematically violate existing laws.

Re: Softening us up, surely

Not clearly a "sneaky trick" although many of those now outraged by the current data collections will be in a great hurry to restore them after a future terrorist attack on US soil.

Re: Faraday cages?

http://disklabs.com/products/faraday-bags

Re: Just another patent troll

Too lazy to search out and read the complaint, and don't want to wast the time to watch the Youtube flic. Is there a patent here (the article didn't say so) or is Halpern simply an idiot who found a lawyer to take on a contingent fee lawsuit figuring that 40% of a $1B with a probability of approximately zero might be worth a few hours and a filing fee to get a mention or two in the press?

Re: Class action?

Why should the guilt or innocence of a manufacturer ride on the choice of target by criminals who subvert routers made by the manufacturer? Is it not more that the manufacturer may be guilty if there are unpatched vulnerabilities in their equipment, or not, if the vulnerability arose from ISP or user failure to set a proper password?