Posts by tom dial

Re: Meh! Nothing really new here.

It would be helpful if those who vote against statements that purport to be factual provided statements of the reason why. If the claim is incorrect, evidence of that makes sense; a simple downvote leaves readers with no particular knowledge to wonder why. There is a difference between contesting a claim because it is false and contesting it because the downvoter, recognizing it as true, is unhappy about that.

Upvoted, based on the knowledge or belief that the Linux kernel is able to run on bare zSeries hardware and that DB2 for Linux will run on processors with IFL engines, i. e., that Gumby's statements are correct.

Re: So?

Why would you say "we" have a problem?

It might be that the company has a problem, probably best addressed by the directors, in that the hiring officers are using criteria not very likely to be related to capability to do the job. That is true equally whether an individual is, or is not. hired or promoted based on such criteria. Preferential hiring based on race, sex, or gender identification is as invidious and inappropriate either way.

Re: On the other hand...

It is not evident that the clintonemail.com administrator would know if the system had been penetrated. Was it configured for security? Was it patched regularly? Was it protected by a firewall more advanced than that on a Linksys consumer router? Were all the factory default passwords changed to be unique and non-obvious ? Was an IDS installed and operating? Were there regular backups? Were the backups replicated off site? Was there a contingency plan to deal with outage?

Whatever the deficiencies of the State Department IT management and staff might have been, there is a pretty good chance they could answer in the affirmative for all their systems. In the case of clintonemail.com, the contingency plan seems to have been "wait for the water to recede and the mains power to return", arguably an entirely inadequate plan for the sole email provider for a cabinet member and top level executive of a major federal department. I have not seen reports that discuss any of the others.

Re: President Password

The passwords described would not have worked in the US DoD in 2005 or 6, possibly earlier. The standards when I retired at the end of 2011 were length of 12, at least two each of upper case, lower case, digits, and special characters (subject to acceptance by the application or system). New passwords were to be different from any of the last 10, from any used less than a year in the past, and from the password used on any other system. Three consecutive occurrences of the same character were never allowed, and some systems disallowed all repeats, ascending or descending digit sequences, or both. Password change was required every 60 days or less and most systems and applications enforced that.

Some of the properties, of course, could not be validated automatically, and some systems and applications enforced standards better than others. Password managers were gaining popularity, but spreadsheets or notes in drawers were more or less the norm.

Re: Yup

Crimes in which inability of law enforcement personnel results in failure to identify, arrest, and prosecute the criminal will be a tiny fraction of all crimes, and the one used as an example probably is not one of them. The great majority of arrests and prosecutions are of the obvious suspects, supported by witnesses and obvious physical evidence, sometimes bolstered by forensic evidence analysis. The article appears to be aimed at inducing a moral panic to support action that a great majority, if they thought about it, would think a bad idea.

Re: Why does the government fear private computers?

Looking at Iraq, Syria, Bahrain, Yemen, Jordan, Egypt, Libya, and Tunisia to name a few, is it clear that we should want a local "arab spring"? Really?

"Mulitiple layers of robust 'safeguards': for example? And under what plausible conditions would they likely be used?

What subjugation would that be? For monitoring, aside from objections to wire sniffing that some might not describe as surveillance as long as it was limited to machine filtering, what outcomes exceed limits that a majority would think reasonable (limited to Europe/EEC, Five Eyes, South Korea, Japan for discussion purposes)?

Governments are established to govern, and police are hired to enforce the laws. News articles notwithstanding, in the countries identified above, they usually do so without interfering excessively with the majority of the population. When they do, courts often will curtail the excesses, and those who object can try to persuade legislators to change the laws, or try to replace the legislators so as to try to change the laws from within. The fact that they may fail to do so may not mean they are corrupt or under control by the 1% or other enemy of the people; it may simply mean that the majority who elect the legislature and executive are not dissatisfied enough to vote for change. And like it or not, no established government, however legitimate, is going to put up with attempts to overthrow it by means outside the law.

Re: If you were Assange

Suppose you were, and wait out the Swedish statute of limitations. What then? The British charges related to the bail jumping still will be pending, so leaving the Ecuador embassy would be risky. I haven't looked, but suspect there is no statute of limitations for any plausible US charges., so they would not be brought until you are out of the embassy and in UK custody. At that point, pending US charges could be used as a basis to request extradition, and given the relation between the US and UK it might well be granted.

Has Mr. Assange elected a life term, or perhaps permanent semiretirement, in Ecuador's London embassy?

On the other hand, five more years on, the US might no longer care enough to press charges (even if they really do now), and you could look more than a bit of a fool for not going back to Sweden and facing the charges there.

Re: Doomed

The link is interesting indeed. I had no idea that retirees contribute such large amounts, although it did not come as a surprise that their money favored Romney over Obama by around 6 to 5, or that lawyers (mainly plaintiff attorneys by some reports) and the educational establishment supported Obama over Romney by a large margin. It is interesting, too, that notwithstanding the wailing, mostly by "progressives", the Obama campaign and its supporters underspent Romney's by a fairly significant amount and yet won rather handily. Money to run a campaign surely is important, but not decisive. Enthusiastic volunteers, with appropriate organization and guidance, can make substitute for a good deal of money, yet nobody ever would think to suggest either reporting or regulating their number.

Re: Rules when she was in office....

On the other hand there was a law, the Federal Information Security Management Act - FISMA - of 2002, with plenty of rules and regulations in place by around 2005 or 2006.

In general, the law and instructions that followed from it required computer systems used to process and store government data to be particularly configured to ensure data security, be backed up regularly, and have a disaster recovery plan in effect that provided for continuity of operations if the primary system became inoperative. All that has to be documented in excruciating detail, and conformity verified before the system is approved by the agency's approving official (usually the CIO) and attached to a network. Conformity is required to be reverified periodically, including testing of the business continuity plan.

If the servers behind clintonemail.com met the standard, Ms. Clinton and her supporters could have brought it out immediately and effectively ended the discussion by requesting the State Department to release the systems' certification and accreditation documents. Instead, she diverted attention by delivering printed email copies to the department and requesting they be released, and erased them from the server or servers. It is quite safe, therefore, to conclude that the servers used were operated in violation of the law and contrary to established Department of State instructions.

Ms. Clinton, however, was not just a State Department employee presumably violating the law and agency instructions; she was the department director, responsible to see that the department and its employees, including herself and others who had clintonemail.com accounts, operated within the law and in accord with the departments established instructions.

It appears she did not do so. That is far more than poor judgment; it is, arguably, a disqualifier for election to the office of President, the duties of which include, among other things, to "take Care that the Laaws be faithfully executed".

Re: There are two cases here

One of the requests specified a period about six months long, and it appeared to me from the opinion (1) that it was the only one for which records were produced, presumably on the basis that it logically included the others, and (2) was of particular concern to the Fourth Circuit panel, as it should have been. A request for all the records over that length of time, even for specific cell phones should raise immediately the question of whether the request would have been too broad for a warrant, even given the fact that the existing legal standard did not seem to require one.

Re: remember a strong 30-char pw?

The plea agreement was linked in the article. The government got something and reduced the sentence recommendation in exchange for that and the guilty plea - perhaps some names of individuals to whom the data were to be delivered. Side payments probably would not be documented in the plea agreement.

Re: Professional expectation

Division of responsibilities would be good practice, as the NSA discovered and I think corrected or is correcting. Those worthy of trust still will not perform unauthorized actions, as Mr. Glenn did, that go beyond what is necessary to perform their duties.

Re: He should be ashamed

Trampling human rights is not limited to either the Republican party (among US political parties), the US government (among governments), or government wannabes like ISIL, Al-Shabaab, Boko Haram, or Shining Path.

if lawyers weren't paid when they lose...

If I recall correctly, SCO's lawyers were more or less compelled by circumstances to agree to take part of their payment from their lawsuit's winnings. That probably worked out rather badly, since most of SCO's assets after the loss were dribbled away by the bankruptcy referee and whatever was left went to the SCO principals.

Sometimes there may be a bit of justice.

Re: NSA is the problem

Is there evidence that NSA has greater access to data resident in the US than that resident elsewhere? The procedures used would differ somewhat, but access to foreign data stored in the US may require legal process that may not be needed to access it in some other locations where NSA has the authority under US law to obtain it directly without troubling to make a request.

Re: So, up to 125 then

"None", as Automattic reports for 2014 and the first half of 2015, would appear to be 0, as does the sentence following their table: "We are pleased to report that we received no National Security Requests during 2014 or so far in 2015."

Rounding does not apply, and a positive number of requests less than half of 249 could not truthfully be shown as 0. Showing "0 - 249" for the first half of 2013 suggests there was at least one, and if they are being truthful, there were no more than 249.

Re: Why are they not more often in the news ?

The arrests probably were in the news, along with arrests for a variety of offences where the police did not use intercepted electronic communication as part of the basis. It would be rare that communication interception brought an arrest, and a bit rarer still that it would be attributed to GCHQ surveillance given their known inclination to remain in the background.

The NSA were said plausibly to have passed information from intercepts to the US DEA and were criticised severely despite the likelihood that both the intercepts and their transmittal to DEA were of a kind authorized explicitly in the US Code.

Re: secure?

The Arpanet was designed to be resilient in the face of physical disruption, but not particularly to protect the content of communication it was used to transfer. The goal was to ensure deliverability. For data protection there were, and are, other measures like encryption that go back centuries in time, as do the problems with ensuring message integrity and privacy. Both goals have associated difficulties.

Re: Not under THIS...

This is not China; we have no great firewall. It is doubtful that the Constitution grants it the authority to enact laws that compel businesses or individuals to administer their systems in a secure way; and if they do, there is no way they have the resources to enforce such laws. As noted, they do not have the effective power to make their Secretary of State or OPM director to do that.

It would be interesting to see a presentation of the theory under which the federal government is responsible to "even begin to protect the digital assets of the US" other than those of federal agencies. The administration has argued that it should, but his was met with considerable pushback from many who were concerned about giving the government too much power - many of them now, doubtless, seriously agitated about the NSA and its activities.

They can, and do, sponsor various activities and organizations such as MITRE and CERT, but in many respects the internet and its connected systems are not fundamentally more secure than they were in November, 1988 - much depends on the diligence of the system and network administrators; some are competent and motivated to secure their systems, but all too many are lazy, incompetent, and do not care much beyond doing the minimum to ensure continuation of their regular paychecks.

Re: Thou shalt not...

The claimed harassment had nothing at all to do with Edward Snowden, as all of it occurred well before any of us, including Ms. Poitras, had heard of him. The runaround on the FOIA requests might relate to that, however, or it might relate to a combination of incompetence and intransigence on the part of some of the agencies in handling such requests. ODNI appears likely to have given Ms. Poitras a standard response to any FOIA request for material that is either sensitive or potentially embarrassing: they denied it on the basis that the fact of its existence or nonexistence was classified as related to intelligence sources and methods. The DoJ, on the other hand, denied release of the 6 pages they or the FBI admitted having found as a matter involving grand jury secrecy. Other agencies seem at most to have gone through the motions minimally and hoped the FOIA requests would go away.

Re: A very Google solution

In the US government, which employs far more people than Google, offers are entirely algorithm based and in not negotiable at the entry level: generally General Schedule grade and step. Relocation may or may not be paid, depending on the announcement. Mid-level and senior hires may have some wiggle room to negotiate, as probably also is the case with Google.*

I expect a great many companies with staffing large enough to justify a separate HR organization have algorithms to constrain compensation for legal compliance reasons. Without a substantial survey it is not clear to what degree Google is exceptional in its rigidity.

* The US DoD switched for several years from the General Schedule to a "National Security Personnel System" that set up a small number of overlapping pay bands and gave supervisors and managers considerable flexibility in determining employee salary. After three or four years they went back to the old General Schedule.

Re: The majority of UK Tax burden is not being paid by companies...(Hollywood Accounting Method)

The studios make a profit on the services they sell to the independent entities that produce the film. The (natural person) partners of the producing entity collect salaries or purchase the bonds of the producint entity. Simple bookkeeping takes care of ensuring there is no "profit". While this is partly made up on the spot, and the actual structures in use surely are more subtle and complex, it is clear that rivers of cash do not imply a profit.

Re: Nice pension

As noted, the paper SF-86 has been replaced by an application served from OPM. That is not a reason to for the database containing the data to be on a network attached to the internet. At my former agency (not OPM) we were exceedingly careful about Personally Identifiable Information leaks; this is the mother all PII compromises.

"Could those who devised the Fourth Amendment really conceive of a device that could store every piece of information about you and every communication and that could not only store that information but catalogue it, index it, search it, cross-reference it, copy it and display it, and could do so taking up no more space than satchel?"

Probably not, but they would not have hesitated to say that a government search of such a device would require a warrant issued "upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched and the ... things to be seized." And they almost surely would have said the same about communications passed between two such devices.

As the staff in a brick and mortar jewelry store surely would do.

Those who search on Amazon should expect to see results for products that Amazon or its vendors can supply. Sellers who decline to sell through Amazon are a bit cheeky to go to court and demand that Amazon, whose business is selling products, show nothing at all that doesn't match their brand. Those who do sell through Amazon can reasonably expect Amazon to requested results for their product ahead of results for similar and possibly substitutable products, but have no reason to expect Amazon to exclude others unless Amazon, possibly for a price, agreed to do so.

Re: Even if..

And one is left to wonder whether, once caught, the French government would be silly enough to grant bail at any price.

Re: @tom dial

I never have been a fan of punishing those not shown to be guilty. It may please congressmen to demand resignations, and it may resonate with those they hope will reelect them, but there is no evidence that doing so will improve OPM IT operations, which seem to have been inexcusably sloppy for quite a few years before the present managers took up their positions. The damage is largely done and unrecoverable and firing those now trying to fix the underlying problems is more likely to do harm than good.