OPM Hack



  • Seems crazy that we haven't talked about this. The latest revelation about encryption is nuts.

    ...according to OPM's own Inspector General reports, "OPM's data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information."


    OPM = Office of Personnel Management...the HR Department for the US Government


  • Grade A Premium Asshole

    @boomzilla said:

    OPM = Office of Personnel Management

    To me, OPM = Other People's Money



  • OPM has more of that, too, than you do.



  • I really can't argue with the defence offered by OPM.

    "To be honest, I don't understand how encryption works so how could it have helped? We really have no idea what we're doing, the computer systems were designed as a class project by a bunch of third graders and we all felt it was terribly inconvenient to have different user ids all have access to different stuff, so we just let everybody in to everything. Besides, lots of this stuff is written in, like, Cobol or Watfor or something. Does anybody even know how to fix that any more? I sure don't."



  • I've heard the USG described as an Ineptocracy. I can't argue with that, either.



  • @DCRoss said:

    I really can't argue with the "defence" offered by OPM

    FTFY. That kind of thing is "we know someone is getting fired for this incompetence" and rather than try and hide it someone decided to just accept what was coming.



  • @locallunatic said:

    That kind of thing is "we know someone is getting fired for this incompetence" and rather than try and hide it someone decided to just accept what was coming.

    Like all the guys who got fired from the VA.



  • Didn't they do a little hiding there, so it played out over multiple news cycles? Though that is still a good point.



  • We're too fascinated by guys and whites who ain't to apparently pay much attention to this one.

    I think people at the VA should be in jail right now. This is possibly a much bigger deal but the incompetence is more diffuse. We're probably gotten used to data breaches and just haven't realized that this could be much more dangerous than credit card numbers.


  • Discourse touched me in a no-no place

    @boomzilla said:

    This is possibly a much bigger deal but the incompetence is more diffuse. We're probably gotten used to data breaches and just haven't realized that this could be much more dangerous than credit card numbers.

    There's no possibly about it except in the most technical sense of "nobody has proven it hasn't". This was a giant personnel file dump to countries, inviting them to find the next dozen Alger Hisses.



  • I've barely read up on it, I don't work for the Feds and I don't know anybody who does, so it's kind of in the "who gives a shit what happens to TSA goons?" part in the back of my mind.

    You know if they gave that woman the regular-sized water bottles, she wouldn't need like 6 of them. Speaking of inefficient and wasteful government!



  • You're only thinking about identity theft stuff. TRWTF is that they apparently got data on security clearance investigations.



  • I only know one guy with a security clearance.

    IF IT DOESN'T AFFECT ME PERSONALLY IT'S NOT NEWS DAMNIT!



  • Ok this paragraph:

    Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is 'so what's new?'"

    THAT is incompetence. Jesus.



  • :magnets_having_sex:


  • Discourse touched me in a no-no place

    @blakeyrat said:

    I've barely read up on it, I don't work for the Feds and I don't know anybody who does, so it's kind of in the "who gives a shit what happens to TSA goons?" part in the back of my mind.

    It's not just TSA goons--it's, at least, apparently, every government worker with a security clearance. Maybe all the government workers? Know if you're China and you know who in the DoD has a gambling problem, well, you know who all the obvious targets to try to bribe are.


  • Discourse touched me in a no-no place

    @blakeyrat said:

    IF IT DOESN'T AFFECT ME PERSONALLY IT'S NOT NEWS DAMNIT!

    It affects you if the TSA guy who's supposed to be checking people on the plane you just got on let someone with a bomb on.


  • Discourse touched me in a no-no place

    @boomzilla said:

    :magnets_having_sex:

    Do we have a "dawn comes to Marblehead" emoji?



  • @FrostCat said:

    Do we have a "dawn comes to Marblehead" emoji?

    :question:



  • So....

    They found Hillary's Benghazi emails?



  • written in COBOL, and they could not easily be upgraded or replaced. These systems would be difficult to update to include encryption or multi-factor authentication because of their aging code base, and they would require a full
    rewrite.

    Great, so all you need is an EBCDIC to ASCII converter, because I know from experience that COBOL programmers store everything in plain text.



  • @blakeyrat said:

    Ok this paragraph:

    Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is 'so what's new?'"

    THAT is incompetence. Jesus.

    Jesus Christ.

    This is some grade-A Derp. I can't even begin to count the number of rules and regulations that breaks! Whoever signed off on that should be in a lot of trouble and looking at possible jail time.

    Also, fire their head of IT, because she's apparently utterly incompetent.

    Lastly, encryption wouldn't have helped? Well, no, they still would have gotten the data probably, they just wouldn't have been able to easily read it which is the whole POINT of encryption.

    The stupid. It burns.



  • @nullptr said:

    Lastly, encryption wouldn't have helped? Well, no, they still would have gotten the data probably, they just wouldn't have been able to easily read it which is the whole POINT of encryption.

    No; because the attackers had valid logins, and could just remote into the network as if they were employees and presumably access any tools able to decrypt the data.

    This wasn't a "someone yanked a HD from the data center" attack.



  • @blakeyrat said:

    @nullptr said:
    Lastly, encryption wouldn't have helped? Well, no, they still would have gotten the data probably, they just wouldn't have been able to easily read it which is the whole POINT of encryption.

    No; because the attackers had valid logins, and could just remote into the network as if they were employees and presumably access any tools able to decrypt the data.

    This wasn't a "someone yanked a HD from the data center" attack.

    You're right, this was more of a, "Someone took all the computers from the data center".

    Still. They should have encrypted that data.



  • They seem to think it was social engineering to get the logins plus extreme failure to detect unauthorized access for God knows how long.


  • Grade A Premium Asshole

    @boomzilla said:

    OPM has more of that, too, than you do.

    They have the capability to tax people in to the poor house. I don't. But...if I did...


  • Grade A Premium Asshole

    @nullptr said:

    Still. They should have encrypted that data.

    But...it would not have mattered. You are talking about installing great security. They left the door open and a Post-It note with the password on the front door.



  • I suspect it might have mattered in some places. There were multiple things compromised. I'm sure we'll never find out the true extent.


  • area_deu

    @boomzilla said:

    I'm sure we'll never find out the true extent.

    The fullest extent of the jam!



  • @FrostCat said:

    It affects you if the TSA guy who's supposed to be checking people on the plane you just got on let someone with a bomb on.

    Oh please, I'm sure this is sarcasm but I'll bite anyway: https://www.techdirt.com/articles/20150602/05474131176/study-tsas-security-theater-troupes-missed-95-smuggled-weapons-explosives.shtml

    @nullptr said:

    Lastly, encryption wouldn't have helped? Well, no, they still would have gotten the data probably, they just wouldn't have been able to easily read it which is the whole POINT of encryption

    I'm with @Polygeekery and @blakeyrat, encryption is extremely unlikely to have helped. I'm not sure where you're coming from that you feel it would have made a difference.

    Edit: Highlight-quoting from a series of nested quotes attributes the quote incorrectly.



  • TO BE FAIR: I am not saying they shouldn't have encrypted their data-at-rest, because that's stupid.

    However, if they had been encrypting their data-at-rest, this breach would have been exactly as bad as it is now. Because the type of attack employed didn't required decrypting data.



  • @DCRoss said:

    I don't understand

    Bulletproof.



  • That's not how I read it. To me it was more like:

    We know it's fucked, that's why we're even here in the first place. If there hadn't been a new director in who actually gave a shit about security in the first place this breach would never even have been discovered. But cleaning this shit up is gonna take some doing, and ‘encryption’ isn't a wand that we could just magic away the stupid with.



  • @Buddy said:

    That's not how I read it. To me it was more like:

    We know it's fucked, that's why we're even here in the first place. If there hadn't been a new director in who actually gave a shit about security in the first place this breach would never even have been discovered. But cleaning this shit up is gonna take some doing, and ‘encryption’ isn't a wand that we could just magic away the stupid with.

    Don't be ridiculous, encryption solves every conceivable problem. Including world hunger.



  • One of the commenters (coslie) on the article summed it up nicely:

    So basically congresses position is "You negligent bastards, it's all your fault for not replacing those archaic and insecure computer systems with the funding we refuse to give you!"

    Let's have a look at some excerpts, starting with:

    “Office of Personnel Management (OPM) Director Katherine Archuleta claimed that she had recognized huge problems with the agency's computer security when she assumed her post 18 months ago.”

    “House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta and OPM Chief Information Officer Donna Seymour, "You failed utterly and totally."”

    And YET:

    “What wasn't classified was OPM's horrible track record on security, which dates back at least to the George W. Bush administration—if not further.”

    Yes, chop the head off the current IT person reporting the breach and problems, because now THE PUBLIC KNOWS.

    And here is the evidence that leadership ignored IT:

    “During his opening statement, Chaffetz read verbatim from a 2009 OPM inspector general report that noted, "The continuing weakness in OPM information security program results directly from inadequate governance. Most if not all of the [information security] exceptions we noted this year result from a lack of leadership, policy, and guidance." Similar statements were read from 2010 and 2012 reports, each more dire than the last. The OPM Office of the Inspector General only began upgrading its assessment of the agency's security posture in its fiscal year 2014 report—filed just before news of a breach at a second OPM background investigation contractor surfaced.”

    Any questions?


    Filed under: half dozen ninja edits because DISSSSCOOOUURRRSSSEEEEE!!!!!


  • Discourse touched me in a no-no place

    Sounds like it's one of these departments which has a critical but extremely boring function, and so nobody wanted to know when things started going wrong, and stuff went wrong for a long time before the excrement impacted the ventilation system. You could assign blame I suppose, but there's way more blame than you can pin on one person. The “inadequate governance” is the really critical issue, as it keeps things drifting and it's difficult for the low-level people trying to sort out the other stuff to deal with that.

    Poor governance tends to result in management getting into a habit of failing to tackle difficult problems, focusing instead on bad things like holing up in their own little empires, and the staff turn to working exactly as their contracts demand (work-to-rule). That's a recipe for slow catastrophe; the organisation gradually twists away from what it should be doing. Eventually a crisis forces change (in the private sector, that crisis is often financial); hopefully this will be the crisis that the OPM needs to get things fixed.



  • The thing I hate about situations like this is the following scenario that plays out all too often:

    Engineer: Security's messed up. We need to fix it. We can do A, B or C, each cost about $X.
    Management: We don't need that right now. Denied.

    Rinse, repeat multiple times over the years. Then Big Breach happens.

    Management: Why didn't you have adequate security in place to prevent the breach, or at least detect it sooner?
    Engineer: I kept asking multiple times but never got the budget aproved.
    Management: It's your fault because you weren't insistent enough!
    Engineer: :facepalm:

    Cue ruining of engineer's career, maybe.



  • @blakeyrat said:

    I've barely read up on it, I don't work for the Feds and I don't know anybody who does, so it's kind of in the "who gives a shit what happens to TSA goons?" part in the back of my mind.

    @boomzilla said:

    You're only thinking about identity theft stuff. TRWTF is that they apparently got data on security clearance investigations.

    A large number of IT workers in the DC metro area are cleared contractors and subcontractors. While there's always the risk that someone is going to take out mortgages using the personal data therein, what's more frightening is that someone could pick out an Average Joe from the cleared population, kidnap said Average Joe for a videotaped torture and decapitation session, and post said video on YouTube with the warning, "This is what happens if you work for the government."



  • @Groaner said:

    what's more frightening is that someone could pick out an Average Joe from the cleared population, kidnap said Average Joe for a videotaped torture and decapitation session, and post said video on YouTube with the warning, "This is what happens if you work for the government."

    I doubt that's going to happen. However, I'm sure there are people out there who have various vulnerabilities to recruitment / blackmail. This facilitates identifying them.



  • They could always just park a car outside a federal building and tail someone who works there. You don't need a data leak for a threat scenario like that.



  • Sounds very random and unproductive compared to what they have now.



  • More info:

    It's impressive that it lasted for that long...



  • @swayde said:

    It's impressive that it lasted for that long...

    The hacker's access or the system itself?

    In hacker's access, not really, since security was woeful.

    In the system itself, not really, because there was never budget to upgrade it but always dollars to keep the dinosaur going.

    Is there a third option I missed?



  • The combination. It's worrying that no one succeeded in blowing :giggity: the whistle before.



  • The thing is, once you have a Turing-complete language, you can write code to parse any file format. And since we have yet to find a solvable problem that isn't solvable by a Turing machine, I don't think old COBOL is irreplaceable.



  • @ben_lubar said:

    And since we have yet to find a solvable problem that isn't solvable by a Turing machine

    Halting problem?



  • If the Halting problem were solvable, we will have already invented perfect AI.


  • Discourse touched me in a no-no place

    @xaade said:

    If the Halting problem were solvable, we will have already invented perfect AI.

    I think those are unrelated. Something being solvable doesn't tell you how much effort it will take to actually solve it. Takes a thousand years with current computing capacity? Still solvable. Just gotta be patient. (FWIW, I think AI can be done and that it will be done in a decade or two, but it requires that we understand what intelligence is in the first place, itself a very difficult problem! I think we'll crack it though, or come up with a proof that no human is intelligent either. Which might actually be true. :smiley: The good thing about current AI research is that most of it is generating more immediate benefits; that's a basis for actually succeeding in keeping going.)

    The Halting Problem is strongly unsolvable; merely assuming that it is solvable — plus some trivially true stuff that you could code up in a minute or two — leads to a nonsensical conclusion such as a program that halts exactly when it doesn't halt. Which is completely mad, and proof that the assumption must not hold.



  • @ben_lubar said:

    I don't think old COBOL is irreplaceable

    That is because you are young, idealistic enough to think of Go as a viable option for the replacement of crufty old cruft, and have not been exposed to enough legacy system horror to have a gut feel for the magnitude of the live data migration, archive format conversion, operator retraining and uninterrupted service availability tasks.

    None of those tasks is theoretically impossible. Any one of them is likely to prove prohibitively expensive. Archive format conversion is likely to be the one that falls out of scope first, which implies either massive future liabilities due to lost records or perpetual maintenance of the legacy systems in some form (perhaps as VMs).



  • @dkf said:

    FWIW, I think AI can be done and that it will be done in a decade or two

    I have actually lost count of the number of decades for which I've been hearing people express that very opinion. See also: viable energy generation from terrestrial nuclear fusion.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.