71 comments

[ 3.3 ms ] story [ 126 ms ] thread
"All current and former Army National Guard members since 2004 could be affected by this breach because files containing personal information was inadvertently transferred to a non-DoD-accredited data center by a contract employee [...]"
(comment deleted)
I may be overly cynical of US government policies and procedures, but I read this as someone tried to use AWS or similar without permission.
That's not cynical at all, and the reason why Amazon is currently working on building DoD approved data centers (Not sure if it was in mainstream news... I saw it when I was browsing job listings)
I'm reminded of the breach reported by Britain's National Health Service in 2014 (http://www.theguardian.com/society/2014/mar/03/nhs-england-p...), where data was uploaded to make use of Google's big-data sifting technologies in violation of NHS policy about secured storage of British citizenry PII.

The irony that the data had been uploaded to a physically secured, encrypted datacenter network from 27 DVDs in the possession of someone who could do whatever they wanted to with the contents of those DVDs without audit was not lost on me.

I don't reference this to imply it was good and proper use of the data; merely to note the difference between policy security and actual security.

Wow, excellent response. It's encouraging to see that they don't just sweep this under the rug.
Its good that they own up to it but I'm getting a bit tired of hearing "we take security very seriously."

I feel like this phrase has become the mating call of organizations who aren't serious about security until they get hacked.

Does it follow that if an organization discloses a security issue, it wasn't serious about security?
I'd call this an exception. An organization that is willing to take one on the chin, so to speak, by declaring a breach of their policies even in the absence of evidence of abuse of the policy violation is actively demonstrating their commitment to security before they've been hacked.
It is better to simply assume that all data has been breached unless incontrovertible proof is found to the contrary.
Seems kind of like the "law of security testing" -- the lack of evidence of data breaches doesn't preclude the possibility of leaked data.
the absence of evidence is not evidence of absence.

http://youtu.be/MFBjCM0mZHg

That advice is good for logicians, not consultants. Clearly it is better from a consultancy point of view to assume all data has been breached and everything that could break is broken and needs fixing.
As spacehome points out, that advice is a logical contradiction (and therefore not particularly suitable for logicians). Absence of evidence is not proof of absence.
Off topic, but absence of evidence is in fact evidence of absence, though depending on the circumstances it might be weak.

Say we'd like to know if A exists. There's some evidence for A's existence, which we'll E. The absence of this evidence is ~E.

By Bayes' theorem:

P(A) = P(A intersect E) + P(A intersect ~E) = P(A|E)* P(E) + P(A|~E)*P(~E)

So the probability that A exists is a weighted average of the probability that A exists when there is and is not evidence.(Since P(E)+P(~E)=1) There is a kind of 'conservation of probability'.

If the idea that 'E is evidence of A' is to mean anything at all, then it means that P(A|E) > P(A). Hence P(A|~E) must be less than P(A). Another way to say it is that P(~A|~E) > P(~A). And absence of evidence is absence of evidence.

You're speaking of negative evidence; as in, evidence that negates a particular truth claim.

Negative evidence is not the same thing as the utter and complete non-existence of any evidence whatsoever—the absence of evidence. That's because negative evidence absolutely is evidence.

The saying goes, 'the absence of evidence is not evidence of absence' not 'the evidence of absence is not evidence of absence'. See the difference?

Watch the linked video when you have a moment.

(comment deleted)
> You're speaking of negative evidence

I wasn't. ~E is a shorthand way to write that E is not found, not that the opposite of E is found. In the language of probability/set theory, ~E is E's complement - every event in the space of probabilities except for what's in E. It's the unique set such that ~E intersect E = empty set, and ~E union E is the whole space.

The point of the proof I gave is that there is no distinction between 'negative evidence' and 'absence of evidence'.

As I mentioned earlier, there is a kind of conservation of probability. The only way for a piece of evidence to give evidence for A is that the lack of that evidence reduces the probability of A. The probability mass has to come from somewhere.

"I wasn't. ~E is a shorthand way to write that E is not found"

You where. What you are describing is, 'we constructed a hypothetical experiment and arrived at a null result'; that is, in fact, evidence.

No one is saying, 'a null result is not evidence of absence'.

Please stop conflating the presence of something with the absence of something.

Yes, the statement is a tautological statement. We are repeating the same assertion twice using different phrasing. And as such, the proposition as stated is logically irrefutable.

'No evidence is no evidence', is a correct—but diminished—restatement.

Have you watched the video?

I watched the video you linked. It's a straw man and misrepresents the way the maxim is commonly used.

Let's go back to my original example and say we want to know if A is true. We have the choice to run an experiment whose positive result E would give support to A. The linked video would say that before we run any experiment, we have no additional evidence for A. Essentially that P(A) = P(A). This is true.

The way this should be used in the real world is: I look even the slightest bit for A and don't find it. As long as my search for A had the smallest positive chance of finding it were it to exist, then my lack of ability to find A gave me information about the world, and we get that P(~A | ~E) > P(~A).

Edit: To be precise the maxim should be something like: "Absence of evidence after looking for evidence is evidence of absence".

The very act of "looking for evidence" moves it out of the category of the absence of evidence.

Again, what is being said is, 'no evidence is no evidence'. If you have the absence of evidence then you have no evidence of absence.

We are--kind of--using the word absence in two senses. First as a synonym for none, a number less than one, zero; the second as a synonym for non-presence, non-existence, the lack of an extant sample.

Having zero [absent] evidence is not evidence that there is no extant sample [absence]. I hope that helps.

But it is. It's just not necessarily as strong of an evidence.
how could the absence of something simultaneously be both absent and also be that something too? (weak or not.)
I think in a world where physical things influence a system so pervasively so as to be irrevocable, leaving their causal footprint everywhere, absence of evidence predicts absence of evidence. It's not proof, but evidence, which is something else. A better word might be information. I argue that absence of evidence is information that should influence your bet on the course of future information.

Say I'm looking for alien civilization. I write a magical program to search one planet at a time, and stop when it finds an alien civilization. I argue that with every planet that fails the test, we should consider that as information toward the case that this program will never stop. I think these claims are testable if crafted into narrower versions.

A reframed version of the maxim would be: Absence of evidence is not information for evidence of absence. Another reiteration could be "absence of evidence does not provide predictive utility toward any claims on the evidence of absence". I claim the opposite.

I think the author of your link would say that in my rephrasing of things, the whole class of my examples are negative evidence, because he counts any information as negative or positive evidence, and in consistency he demands perfect ignorance. No peeking in the cat box. Unfortunately, me scanning for planets counts as peeking, or getting information, into portions of a very large cat box.

You are correct; any evidence that negates a particular truth claim would be the presence of evidence not the absence of evidence.

And so the tautological saying, 'the absence of evidence is not evidence of absence' still stands unassailed.

Off-topic... That's also a good advice for those "skeptics" that are too obsessed about science (or whatever they think science is).
Startup idea: apologeticpressrelease.com

Just input corporation, firm or department name.

Select multiselect dropdown "what you take very seriously".

Select number of "employees|customers|people" (pick one) that will get free credit monitoring.

Select for how long.

Press [Submit]

Input payment information.

Press release automatically issued.

(we( at )?|CORP_NAME) take your (data|privacy|security|information) very seriously

If I owned a credit monitoring company, this is a service that I might be cynical enough to offer.
You're going to put a lot of PR people out of jobs with that.
The preferred SV term is "disrupt".
That's okay, they can all go work for Donald Trump.
Don't forget to mention that the malware used was "extremely sophisticated".
"not yet sure if there is a nation behind it, as it seems to be too advanced for everyday hackers"
"I dunno, try 'Passw0rd1!' or something"

"OMG we're in!"

This isn't what most people think of when they hear data breach. There was a breach of DoD security standards when data was transferred to an inappropriate environment but no evidence that the data has been leaked beyond that transfer.

I think it's laudable that the Army National Guard would do a breach notification when there's only the possibility of malicious data loss.

Maybe there is some untold, yet upcoming story behind this.
Perhaps there isn't.
I believe that's why the word "maybe" was used.
Off topic: You wouldn't happen to be Diamons from Diamon✝Sword? I used to play with a guy with the same name maybe 10 years ago in a game called Gunz.
Yeah I was
Awesome! You wouldn't remember me (I don't even remember what name I used), but I was in the clan for a while. You taught me how to juggle people after flipping them. Hope you're doing well.
Hah, small world. I'm doing great, thanks. Hope you are as well.
I immediately assume China and/or Russia are working on a World War III plan. Dossiers are being built to help carry out the targeted and synchronized assassination of tens of thousands of key U.S. military personnel by sleeper cell agents during a coordinated world-wide attack.
Why would either of them do that, though?
You don't need any why like that to write a successful novel!
I second this! staunch, get cracking.
I would assume the U.S. has a similar operational plan. In times of peace, it is a functioning military's job to plan for war.

One key difference is that the U.S. is already testing the technology and process necessary to carry out such an operation---reference the drone strike.

Why go all to all that trouble when all they require is a few backhoes?
(comment deleted)
Maybe give it another week. Lately these kind of news are strategically published in smooth crescendos of severity.
> files containing personal information was inadvertently transferred to a non-DoD-accredited data center

Which could be anything. For example, an AWS server somewhere. Or, how about a VPS hosted by GoDaddy? A lame attempt at humor. Yet, what do we really know?

> by a contract employee,

Which could be anybody, right?

> we do not believe the data will be used unlawfully

We don't guarantee...we do not "believe".

More detail would have been useful. If my data was with the Guard I would not know what any of the above meant other than my data was made available to a contractor who uploaded it to a random server somewhere and, at the moment, it could be floating in space for anyone to grab.

Brilliant.

Two things to be aware of:

1) This was an external press release. It's possible communication to the actual Guard had more detail. Or not; it's the military, and they'll tell you what you "need to know."

2) While they don't guarantee the data wasn't leaked, I read that as more in the sense that "The non-DoD-accredited datacenter is outside of our auditing trail" than in the sense that it's actually likely the data was leaked. If you take my state's drivers' license database and uploaded it to AWS, the state can't "guarantee" the data wasn't used unlawfully either, but you can be certain that Amazon has a lot to lose if some failure of their infrastructure gives China access to a list of passport-authorizing documents.

So basically someone (who was probably getting paid by the DoD) scp'ed some info to a server he/she wasn't suppose to.

This more like a breach of standards. At least they know where the data went. The OPM breach is far worse.

When I read that "an employee transferred data to a non DoD-accreditated data centre", I imagine the employee transferring a dataset to Amazon Web Services or something similar (usually because the tooling in their current environment is horrible).

Edit: I just had a look and found AWS is actually DoD-certified http://aws.amazon.com/compliance/dod/. I wonder what the data centre in question could be.

Only some parts of AWS are DoD certified, and even then only some services in the GovCloud region (which isn't widely available) are fully certified. It's entirely possible some contractor made use of a service which isn't certified still.
(comment deleted)
who could possibly benefit by having this data? I don't think it's of any use to scammers and criminals.
I'm sorry but there is likely to be more to come. "All current and former since 2004" .. No one transfers all the files by accident unless the systems and controls and sheer "WTF am I doing this for" attitude is simply missing.

This Inwill guess is the least awful of a series of breaches to be released, as everyone falls over themselves to check their seals.

It's likely similar to the British NHS policy failure in 2014.

The shear between the tools publicly available on private data networks for analyzing and slicing bulk data and the tools available on cloud networks is wide and growing. As it continues to widen, you can anticipate that more and more tech-savvy mid-level staff in government positions will look at the status quo and say "I could follow policy to the letter, or I could use the cheap-and-easy tools I'm familiar with to get some Goddamn work done and trust that data living in AWS is at least as secure as where it currently lives, in that tool-shed-looking building on the back of the base with the door that doensn't quite latch correctly."

This seems non-adversarial, more like a violation of DoD's own internal policies. I wonder why they don't say whether they were able to perform any remediation?
As a former ARNG member and a current Army Reserve member, this doesn't surprise me at all. The U.S. military's regard for personal information has been dreadful. Service in the military entails endless filling out of paper and electronic forms and almost every one of them has the servicemember's SSN on them. These forms get filed in filing cabinets, e-mailed around and--quite often--left on desks. The situation is made worse because our pay grades are typically part of the form, too, so a potential identity thief knows the approximate salary of the victim because our salaries are standardized and readily available.

Things are getting better and the DoD has switched to a non-SSN identification number but the SSN is still frequently used.

Yep. My dog tags had my SSN on them, which I found to be completely ridiculous, as did my military ID for a while.

They started issuing cards with an EDIPI on them relatively recently, which is a step in the right direction, but there's still a lot of work to do.

When that policy was enacted we were still living in the world where the SSN was not the primary means of personal identification. Social security cards used to explicitly say they were not to be used for personal identification, recently enough that mine does.

The DOD originally switched to the SSN from the previous service numbers, as in "name rank and serial number". It was a convenience measure, since the service number system was arcane.

Service numbers were also public record, and I've read documents indicating that social security numbers were not considered sensitive information (notwithstanding the fact that the DOD didn't have the concept of PII formalized back then).

Should the DOD have moved back to another serial number system sooner? Possibly. I'm amazed that they're moving at all.

The point I take away from this is, how long is SSN going to be a super secret 11-digit pin for your life? Banking online, job forms, etc all use SSN and it gets thrown around everywhere. Are there any indicators that we're working on something a bit more modern for identification?
This new version of 0Auth is based on a military grade security model.

You authenticate everywhere using a long number (PIN) (so long you have to write it down and store it). All the services you authenticate with will store this PIN unhashed.

You should keep your PIN safe, because it can be used to apply for bank accounts, loans, and commit tax fraud if it is stolen.

If you ever forget your PIN don't worry. We will print it on various letters and mail them to you. If you need it urgently, you will find it next to your name in various post-hack data dumps around the internet.

(comment deleted)