This is what happens when you focus mostly on offensive capabilities and surveillance and do almost nothing about the actual security of the systems.
Sounds like the main culprit of this data breach was not patching their systems and not using 2-FA. Also, when you want to make it easy for the NSA to get data on Americans, you're also making it easy for China to do the same - I wonder if this is finally when the administration will get it (but I'm not holding my breath):
> And a number of administration officials in interviews on Friday painted a picture of Chinese adversaries who appear to be building huge databases of information on American citizens, useful for intelligence gathering and other purposes.
Also, it didn't help the security that Obama hired technological morons as CISOs and "cyber czars" with their "big picture" ideas.
> Mr. Earnest said Mr. Obama’s efforts to push legislation would bolster the nation’s data.
“We need the United States Congress to come out of the Dark Ages and actually join us here in the 21st century to make sure that we have the kinds of defenses that are necessary to protect a modern computer system,” he said.
Yup. So still not taking this seriously. The current "cybersecurity" bills are all about surveillance, not about actual security defense. Well okay then.
However, something is clearly going wrong in terms of:
1) How security infrastructure is constructed in the first place
2) How security experts have communicated to and educated the public
The way computers are put together and software is distributed makes them insecure by design. This puts the public (non-experts) in a position where they feel helpless to do the right thing.
On top of this, a pervasive attitude amongst security experts is that laypeople are hopeless idiots. The science, medical, and public health fields have to deal with misconceptions and misinformation all of the time. When I compare outreach from those fields and computer security, I wonder if more shouldn't be done.
The problem largely comes down to write secure software, a large part of which is stop doing manual memory management, to which the community responds "over my dead body."
The problem isn't how security infrastructure is constructed, it's that people would rather buy "security infrastructure" and bolt it on to bad code.
Laypeople have demonstrated themselves to be hopeless idiots with regard to 1) passwords and 2) infecting Windows installations for quite a while. Taking away the ability to accidentally screw these things up (2FA, sandboxing, walled garden app stores, etc) is a huge step forward.
Laypeople have demonstrated themselves to be hopeless idiots with regard to 1) passwords and 2) infecting Windows installations for quite a while.
The same thing can be said of certain plumbing and car repair tasks. In cases like this, industry and society should take the problematic aspects out of the hands of laypeople and put those things in the hands of tools/experts. Even highly trained groups like pilots have significant automation to aid them, where the population seems to suffer from "idiocy." (Stick shakers.)
Such thinking and UX design is part and parcel of writing secure software.
While I totally agree that memory management is a huge source of problems (learn Rust is next on my project queue), I suspect that the problem of "writing secure software" is not actually technical in nature. The best tools and methods in the world are only useful if they are actually used in practice.
A better question is why people accept insecure software and then let the software industry blame the victims (like calling them "hopeless idiots"), when it was - as you say - the insecure software that was the actual problem.
Dan Geer was right - you fix this with product liability. The tools (such as new languages like rust, etc) will happen automatically if you make the person who sold you software liable for the damage it causes. (standard "when used normally" restrictions apply, of course).
> The problem largely comes down to write secure software, a large part of which is stop doing manual memory management,
This is, unfortunately, not true. Writing in .net or in java or in php does not involve manual memory management, yet such web apps still contain game-over vulnerabilities. (I am looking at you, wordpress).
Other reasons are costly infrastructure, huge size of systems, how long it takes to replace them (if it's longer than an election cycle they'll probably get cancelled/modified half way through and go late and over budget), preferred vendors (only really large companies are given these jobs), political pork and lack of oversight.
It's not just the US, the UK blew 12bn on an NHS system that basically never worked the way it was supposed to and that was just one of their disasters.
Worse is the fact that above grade 13 promotions greatly favor those who do not take risks and who do not rile others. This makes avoiding risk one of the top success strategies for a career in govt.
The risk averse culture of govt is probably more a factor here. To actually shut down a system that is "working" because it is not secure is likely to prevent someone from being promoted, as it at least implicitly points the finger at others, which is a major no-no.
It really sucks that those affected have no recourse in the courts or any other venue to seek redress, and it is unlikely that the cost of the inevitable identity thefts and other dirty tricks that will result from this will be borne by individuals, when the govt is clearly culpable.
I never have understood why we hand power over something to the govt without a means of holding govt officials responsible when they wield that power inappropriately or incompetently.
As one senior former government official who once handled cyberissues for the administration, who would not speak on the record because it could endanger the person’s role on key advisory committees
In the commercial world, speaking out about security issues makes you a celebrity. In government, it makes you a liability.
No way. For one there is no such thing as a true air gap in an organization past a certain size that probably has multiple office locations. The worse thing about this word though is idiots use an 'air gap' as a crutch to justify their lazy and inept IT practices.
Well no shit. I've warned parts of the U.S. government that they're "open to cyberattacks". It's obvious even from the outside and has been obvious for years.
The surprise isn't that China (or somebody) hacked OPM. The surprise is that we noticed this one.
And it turns out that China was probably doing this for a year. And that the only reason OPM caught it was because a cybersecurity company happened to be demo-ing their product at OPM that day, which finally explains the surprise.
The NSA has two jobs - defensive and offensive/surveillance. Not only have they neglected their defensive work they and the FBI have been actively and successfully weakening US information defenses.
It's time to be transparent about this. Hell, our "adversaries" apparently have detailed knowledge of the circumstances. It's time we did, so that we can push for things to be fixed.
At the same time, pushing back against this "lock down the Internet" mentality. It's not about choking the medium to some autocratic death. It's about smartening up one's presence on and use of it.
I'm not talking about some Congressional dog and pony show. Nor about reports that sit in some pol or bureaucrat's locked desk drawer forever. I'm talking about full on sunlight. Leave the wankers no shadows to hide in.
If NYT knows the Third Department and whatever private contractors they have are trying to breach USG computer systems then I guess NSA knows that as well. Not even touching on defensive needs, why isn't NSA blanket surveilling Third Department, et al. and making that intelligence known to potentially affected agencies?
24 comments
[ 2.9 ms ] story [ 62.6 ms ] threadSounds like the main culprit of this data breach was not patching their systems and not using 2-FA. Also, when you want to make it easy for the NSA to get data on Americans, you're also making it easy for China to do the same - I wonder if this is finally when the administration will get it (but I'm not holding my breath):
> And a number of administration officials in interviews on Friday painted a picture of Chinese adversaries who appear to be building huge databases of information on American citizens, useful for intelligence gathering and other purposes.
Also, it didn't help the security that Obama hired technological morons as CISOs and "cyber czars" with their "big picture" ideas.
> Mr. Earnest said Mr. Obama’s efforts to push legislation would bolster the nation’s data.
“We need the United States Congress to come out of the Dark Ages and actually join us here in the 21st century to make sure that we have the kinds of defenses that are necessary to protect a modern computer system,” he said.
Yup. So still not taking this seriously. The current "cybersecurity" bills are all about surveillance, not about actual security defense. Well okay then.
Although TFA is not always the solution, there is no reason that every org should not institute this.
1) How security infrastructure is constructed in the first place
2) How security experts have communicated to and educated the public
The way computers are put together and software is distributed makes them insecure by design. This puts the public (non-experts) in a position where they feel helpless to do the right thing.
On top of this, a pervasive attitude amongst security experts is that laypeople are hopeless idiots. The science, medical, and public health fields have to deal with misconceptions and misinformation all of the time. When I compare outreach from those fields and computer security, I wonder if more shouldn't be done.
The problem isn't how security infrastructure is constructed, it's that people would rather buy "security infrastructure" and bolt it on to bad code.
Laypeople have demonstrated themselves to be hopeless idiots with regard to 1) passwords and 2) infecting Windows installations for quite a while. Taking away the ability to accidentally screw these things up (2FA, sandboxing, walled garden app stores, etc) is a huge step forward.
The same thing can be said of certain plumbing and car repair tasks. In cases like this, industry and society should take the problematic aspects out of the hands of laypeople and put those things in the hands of tools/experts. Even highly trained groups like pilots have significant automation to aid them, where the population seems to suffer from "idiocy." (Stick shakers.)
Such thinking and UX design is part and parcel of writing secure software.
A better question is why people accept insecure software and then let the software industry blame the victims (like calling them "hopeless idiots"), when it was - as you say - the insecure software that was the actual problem.
Dan Geer was right - you fix this with product liability. The tools (such as new languages like rust, etc) will happen automatically if you make the person who sold you software liable for the damage it causes. (standard "when used normally" restrictions apply, of course).
This is, unfortunately, not true. Writing in .net or in java or in php does not involve manual memory management, yet such web apps still contain game-over vulnerabilities. (I am looking at you, wordpress).
Other reasons are costly infrastructure, huge size of systems, how long it takes to replace them (if it's longer than an election cycle they'll probably get cancelled/modified half way through and go late and over budget), preferred vendors (only really large companies are given these jobs), political pork and lack of oversight.
It's not just the US, the UK blew 12bn on an NHS system that basically never worked the way it was supposed to and that was just one of their disasters.
The risk averse culture of govt is probably more a factor here. To actually shut down a system that is "working" because it is not secure is likely to prevent someone from being promoted, as it at least implicitly points the finger at others, which is a major no-no.
It really sucks that those affected have no recourse in the courts or any other venue to seek redress, and it is unlikely that the cost of the inevitable identity thefts and other dirty tricks that will result from this will be borne by individuals, when the govt is clearly culpable.
I never have understood why we hand power over something to the govt without a means of holding govt officials responsible when they wield that power inappropriately or incompetently.
In the commercial world, speaking out about security issues makes you a celebrity. In government, it makes you a liability.
Plenty of white hats have gone down for reporting publicly.
Outside of that, it does make them celebrities. It gives them professional credibility, publicity, and the opportunities that go with all of it.
Three words: not rocket science.
http://www.theregister.co.uk/2015/06/05/kaspersky_says_airga...
You need our wisdom badly.
The surprise isn't that China (or somebody) hacked OPM. The surprise is that we noticed this one.
At the same time, pushing back against this "lock down the Internet" mentality. It's not about choking the medium to some autocratic death. It's about smartening up one's presence on and use of it.
I'm not talking about some Congressional dog and pony show. Nor about reports that sit in some pol or bureaucrat's locked desk drawer forever. I'm talking about full on sunlight. Leave the wankers no shadows to hide in.