Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Government Security The Internet United States

Sen. Ron Wyden Says CISA Data Collection Could Put Americans At Risk 58

blottsie writes: In a new interview, Sen. Ron Wyden (D-Ore.) says the Cyber Information Sharing Act of 2015 (CISA) may put more Americans at risk because the U.S. government has failed to learn the right security lessons from the attack on the Office of Personnel Management. He says, in part: "I've been watching as this goes forward—there's this phrase going around the cybersecurity community, 'If you can't protect it, don't collect it.' Now, there is never going to be a system that's 100 percent safe. But what I'm going to start [saying] on the floor as we get to this [CISA debate], is, you give the government a huge new trove of personal information about Americans before you've addressed the problems that were documented all the way back to 2007—those security holes—before you address those, [before] you plug them, that's like responding to a bear attack by stockpiling honey. That's going to be how I open the debate."
This discussion has been archived. No new comments can be posted.

Sen. Ron Wyden Says CISA Data Collection Could Put Americans At Risk

Comments Filter:
  • Who's willing to bet that, *after* the security measures are in place up to Congress's "standards" (they have no clue, they're just going on what other people tell them), Senator Wyden would be completely in-line with the mass surveillance camp?

  • by Anonymous Coward on Monday September 14, 2015 @01:07PM (#50520247)

    No security measure can fix that.

    Hell, OPM handed out root access to "workers" remoting in from China, for fuck's sake. And the clowns who did it are still not in jail.

    It starts at the top, too. Just listen to Hillary! apologists making excuses for her and her classified emails in her fucking basement, all because they - for some strange reason - think Hillary! is on "their team", whatever team that may be.

    • by allquixotic ( 1659805 ) on Monday September 14, 2015 @01:11PM (#50520291)

      think Hillary! is on "their team", whatever team that may be.

      Their team means someone in Hillary's administration, directly or indirectly, is going to help them advance their career and make more money if they support her.

      Good old fashioned graft.

      • think Hillary! is on "their team", whatever team that may be.

        Their team means someone in Hillary's administration, directly or indirectly, is going to help them advance their career and make more money if they support her.

        Good old fashioned graft.

        There is no team in central banksters, only the pedophiles for which the White House has become a mouth piece for since they did JFK. When it comes to being a US citizen, you're screwed either way.

    • by Tablizer ( 95088 )

      MOST organizations are lacking in this area. I've seen no evidence that the US government is more lax than private industry. If you have reliable stats on that, please show them.

      If you want a somebody or something to bash, then bash human nature, not government in particular. Organizations of all types and cultures have consistently sucked on info security.

      • by pnutjam ( 523990 )
        I call bullshit, This IP [127.0.0.1], is bulletproof.
        • Come on, I hacked that bastard last week, unfortunately I didn't get anything as my computer started acting wonky right afterwards.

      • Based on 20 years of experience in both, my experience is that I'd rank private industry 3/10 and government 1/10. The nature of the type of government we seek to have means we often have to balance priorities like openness and fairness against things like efficiency and security.

        For one clear example, consider the "need to know" versus the Freedom of Information Act. A private organization publishes about themselves what they want to publish*. They don't publish anything about their network infrastructure

        • We WANT changes to the government which controls so much of our lives to be done carefully, thoughtfully, slowly.

          Yeah, you mean like the USAPATRIOTACT, the 2,000+ pages of wholly unconstitutional tripe that was SUPPOSEDLY written in, "Reviewed" and PASSED in TWO WEEKS?!?

          Al anyone has to do in Gummint is utter the magic phrases "Terrorism", "War on Drugs", or "For the Children", and Congress falls all over itself to pass whatever horseshit is placed before them. Most don't even read the stuff. I GUARANTEE no one read the USAPATRIOTACT (heck, that ACRONYM should have taken Two Weeks to come up with!).

          So please, cry

          • >> We WANT changes to the government which controls so much of our lives to be done carefully, thoughtfully, slowly.

            > Yeah, you mean like the USAPATRIOTACT, the 2,000+ pages of wholly unconstitutional tripe that was SUPPOSEDLY written in, "Reviewed" and PASSED in TWO WEEKS?!?

            I said the changes to the government should be done carefully, thoughtfully, slowly. When Congress works quickly, we end up with the patriot act. Kinda proves that we don't want Congress acting rashly, quickly, and reckles

    • by Tablizer ( 95088 ) on Monday September 14, 2015 @01:55PM (#50520673) Journal

      I don't see H's server choice as a security argument. The "regular" office server, the one she should have been using, was not designed for classified info either and there's no evidence it had better general security than her "home" server.

      There are plenty of other reasons to criticize her actions, but "security" is not one of them.

      I suppose one could argue she was more likely to mix up personal and work email, but that can happen regardless. One can mistype the destination on any device or email service. Such an argument is splitting hairs on what kind of typo is most likely, which is probably personality specific such as to make it highly speculative. The kinds of mistakes I make often have a different pattern than those of others. It's one of the reasons I welcome wide feedback on any of my draft UI designs.

      • Are you sure about that argument?

        http://politics.slashdot.org/s... [slashdot.org]

        • by Tablizer ( 95088 )

          We don't have an equivalent analysis of the "regular" gov't office server to compare here. And the comments suggest the home box used typical industry settings of SMTP servers.

          I have no reason to believe the "office" (gov't) server would not have typical settings also. Again, it was not designed nor intended for classified info.

          They allegedly had another system for classified stuff, but they cannot talk a lot about it for obvious reasons. I'm assuming we are talking about "regular" non-classified emails. If

          • The specific settings listed wouldn't have passed the DISA STIGs which are required to be adhered to on a government system that is placed on the public internet. So no, the government system would not be using an outdated version of SSL or have an insecure set of encryption standards enabled on the TLS protocol of the SMTP server.

            I don't feel like looking it up, but I am sure there is somewhere you can get information about the security posture of State's mail servers; though this could be considered priv

            • by Tablizer ( 95088 )

              "D" stands for "Defense". It wasn't a defense agency. I'll give you some kudo points if you can show that her agency was subject to DISA STIGs at the time, and more kudo points if you can show that the office server in question passed a review.

      • by Anonymous Coward

        I don't see H's server choice as a security argument. The "regular" office server, the one she should have been using, was not designed for classified info either and there's no evidence it had better general security than her "home" server.

        There are plenty of other reasons to criticize her actions, but "security" is not one of them.

        I suppose one could argue she was more likely to mix up personal and work email, but that can happen regardless. One can mistype the destination on any device or email service.

        You don't use outside servers precisely because you know people aren't perfect. In an environment where you deal with a mix of classified and unclassified you always build your systems and procedures around the possibility of classified information being placed on an unclassified system. There are procedures in place for mitigating when something is inadvertently put on an internal server, which is a big reason why you use the organizations internal servers for all official communications and document s

        • by Tablizer ( 95088 )

          Your "should have" statements seem to apply equally to a home and office server. Great advice in general, but I don't see it applicable per "blame math" in this case. H is not a server admin.

          Further, how are you defining an "outside server"? If the "office" server is available to the outside Internet, it's just as "outside" as a home server (barring any additional specific details).

          As far as sending classified info thru unclassified servers, the devil is in the details, which we don't have. As I mentioned n

      • I don't see H's server choice as a security argument. The "regular" office server, the one she should have been using, was not designed for classified info either and there's no evidence it had better general security than her "home" server.

        There are plenty of other reasons to criticize her actions, but "security" is not one of them.

        I suppose one could argue she was more likely to mix up personal and work email, but that can happen regardless. One can mistype the destination on any device or email service. Such an argument is splitting hairs on what kind of typo is most likely, which is probably personality specific such as to make it highly speculative. The kinds of mistakes I make often have a different pattern than those of others. It's one of the reasons I welcome wide feedback on any of my draft UI designs.

        It's her own security she was concerned about.

        I have wondered how many of those 'personal' emails she had scraped off the system before handing it in would have showed conflict of interest with regard to Clinton financial dealings that mixed just a bit with being in very high positions of US government.

    • I'm glad you guys have something to talk about other than Benghazi, the broken record repetition was getting really old on that one. I don't like Hillary, but the server was within state department rules at the time, and the information sent was classified retroactivity after it was sent. There's no fire here, just a smoke bomb.
    • by jd2112 ( 1535857 )
      At least she knows what a mail server is, which (sadly) makes her more competent on technological issues (including security) than 99% of our elected officials.
  • Priorities (Score:4, Interesting)

    by penguinoid ( 724646 ) on Monday September 14, 2015 @01:20PM (#50520383) Homepage Journal

    It doesn't matter if a terrorist gets your data. Terrorists can't vote. It's the citizens you got to watch out for, you need enough data on them to make sure you'll know how they'll vote before the candidates are even announced. This way you also know how to redistrict and which empty promises to make.

  • >> that's like responding to a bear attack by stockpiling honey

    Can we get a car analogy instead? Maybe something with swimming pools for the yokels?

    • by TheCarp ( 96830 )

      Its like responding to car theft by filling your gas tank.

      • by ooshna ( 1654125 )

        More like filling your car with all your valuables and not even locking the doors.

        • by TheCarp ( 96830 )

          oooh...responding to your GPS being stolen from your car, by taking all of the valuables in your bank safe deposit box and keeping them on the passenger seat instead.

  • by Anonymous Coward on Monday September 14, 2015 @01:43PM (#50520581)

    If you aren't collecting it, it's going to be far more secure in the long run.

    These idiots who think putting us all under surveillance, or monetizing our personal information, need to be forced to stop this BS legally.

  • Comment removed based on user account deletion

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...