Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
China Government Security United States

SF86 Data Captured In OPM Hack 173

Etherwalk writes: The security clearance process in the United States includes filling out the 127-page SF86 form, which includes things like the citizenships of all your relatives and housemates, foreign contacts and financial interests, foreign travel, psychological and emotional health, illegal drug use, and many other matters. The recent breach by the Chinese Government apparently included that information for all executive employees up to cabinet level. It's pretty much a gold mine for intelligence work and social engineering of any kind.
This discussion has been archived. No new comments can be posted.

SF86 Data Captured In OPM Hack

Comments Filter:
  • by Anonymous Coward

    SF86? Is that some 8086 variant?

  • Bah! Media! (Score:5, Insightful)

    by quonsar ( 61695 ) on Friday June 12, 2015 @06:51PM (#49901363) Homepage
    So, what exactly do they mean by "breach". Someone got into some systems? Once there, did they take copies of data? That's a lot of data. Why didn't anyone see the mass exodus of gigabytes? The weasel worded breathless media reports are just dripping with a lack of specificity and reek of "omg phear the evil hackerz!" - they feel more designed to generate fear than inform. I view the whole thing with a jaundiced, skeptical eye.
    • Re:Bah! Media! (Score:5, Interesting)

      by Rob Fielding ( 3524407 ) on Friday June 12, 2015 @07:48PM (#49901653)
      SF86 data is extraordinarily sensitive. What they mean is that the attackers made off with a database of the financial problems, drug habits, family problems, hidden crimes, and sex fetishes of anybody that's working on anything sensitive. This data will determine who comes home to a hooker in his bed with requests for information and a crowbar in one hand and a bag of illegal drugs in the other. I'd say that the information is so sensitive, that it may actually weaken security to continue with this practice of having all of these confessions written down. I mean... if you can approach your boss and say "hey, i need to take a few weeks off to go to jail!" to which he responds "ok. you have plenty of leave!"; then that may leave you far less open to coercion then if you go into a panic over being found out by your boss for adultery. ("gah! i'll lose my clearance and never ever work again!")
      • Re:Bah! Media! (Score:5, Interesting)

        by lgw ( 121541 ) on Friday June 12, 2015 @09:36PM (#49902071) Journal

        What they mean is that the attackers made off with a database of the financial problems, drug habits, family problems, hidden crimes, and sex fetishes of anybody that's working on anything sensitive.

        It's worse than that. Foreign agents might be identifiable through this data. People sleeping with foreign nationals report that, and those foreign nationals might find their own government treats them like a spy now.

        People will get killed behind this - likely a large number of people.

      • by TheRealHocusLocus ( 2319802 ) on Friday June 12, 2015 @09:36PM (#49902073)

        SF86 data is extraordinarily sensitive. What they mean is that the attackers made off with a database of the financial problems, drug habits, family problems, hidden crimes, and sex fetishes of anybody that's working on anything sensitive.

        Shouldn't that kind of stuff be only on paper, locked inside some kind of... you know... financial problems drug habits family problems hidden crimes and sex fetishes room?

        Tabloid fascination with personal problems or consensual crimes, 'sin' for short --- this whole ability to ruin someone by leaking factual information --- is a known vulnerability of the human condition. One no one wants to fix (it involves losing the moral high ground) or even admit that it is a problem. This means past indiscretions can through blackmail, be used by murders to conceal their crimes, or even drive a blackmailed sociopath on by degrees, to commit murder. In the best of cases it hands the rudder to the most oafish bullies, for the dumbest of reasons. And some brilliant and capable, even trustworthy people find themselves in shit.

        Looks like the USG has handed over it all. Beware, my friend, shit winds are a-comin' [youtube.com]

        I recommend Peter McWilliams' book AIN'T NOBODY'S BUSINESS IF YOU DO: The Absurdity of Consensual Crimes in a Free Country [bushforpre...ofiraq.com], placed on the web with the deceased author's permission, to help sort out (culturally) what should be an actionable --- or blackmail-worthy --- crime. Also check out this (failed) submission on the DEA [slashdot.org] and my suggestion to implement duress codes [slashdot.org] (like a blackmail canary) into society.

      • Re:Bah! Media! (Score:5, Informative)

        by cfalcon ( 779563 ) on Friday June 12, 2015 @11:09PM (#49902379)

        Fetishes are not listed in an SF86. Arrests and convictions are, but those are also public record. You are likely thinking of a lifestyle polygraph. SF86s are not lists of confessions.

        I would still say that your overall statement of "extraordinarily sensitive" applies, however. Earlier addresses, tons of contacts to vouch for the person, etc. It's not just the subject of an SF86 who has personal info in their, it's the other people in their lives who have agreed to be interviewed and such as well.

        Note that adultery is not generally illegal, nor is it something that would appear on an SF86.

        This form is on the web:
        http://www.gsa.gov/portal/form... [gsa.gov]

        • by dbIII ( 701233 )

          You are likely thinking of a lifestyle polygraph

          Now that is fucked up on two completely different levels and even a bit ironic. Electronic voodoo pushed on Hoover's FBI, in the days of kickbacks, by a bondage obsessed comic book writer being used for some very intrusive workplace harassment by idiots that haven't gotten over the idea that you can't own employees like slaves. Your boss does not own your life. Even the military can't stop you from getting married.

      • The clearance process includes finding out if you're blackmailable into turning over secrets. So of course they question you about everything enemy spies may use as blackmail material. They're often willing to approve you if you confess all your sins to them - because the spies can no longer use the threat of revealing them to the intelligence agencies to pressure you.

        It behoves you to confess ALL of it, because if you leave anything out they'll pull your clearance when they discover it. On the other han

      • by Anonymous Coward

        What I don't understand is why you would record all this information.

        After you've gathered the information (somehow) and you decide someone's clearance level, what's the point of keeping it? If you grant a certain clearance level, that means that the data is by definition uninteresting, because anything interesting means you won't get clearance.

        I also understand that a lot of the information is self-provided, which means it makes even less sense to record it. You can just give people a list of prerequisites

        • What I don't understand is why you would record all this information.

          After you've gathered the information (somehow) and you decide someone's clearance level, what's the point of keeping it? If you grant a certain clearance level, that means that the data is by definition uninteresting, because anything interesting means you won't get clearance.

          So that the gov't can use it to blackmail you into compliance? At least that's how it probably started. I don't get the impression that they do a lot of that since Hoover went away, but they kept all the systems because that's how they always did it. Now it may come back to bite...

      • Do they actually ask people about this stuff or is the result of background checks?

        I would think the right answer for someone working on anything sensitive would be "Sure, I like to smoke pot, I like porn and kinky sex, and I don't give a shit who knows." The person who isn't hiding anything can't be blackmailed.

        But I suppose many of these may be family problems -- my wife is a drunk and when she's on a bender I've caught her tag-teaming the Mexican lawn crew, or my son goes down to the park and sniffs bik

    • A jaundiced, skeptical eye would assume that, once in, China would take everything. Or that a previous breach exposed everything already, and that they just got lots of duplicate information (some new, of course).

      Are you skeptical of the previous report that "a database containing the personal information of about 4 million current and former federal employees was hacked"? Because that was only part of the truth. Today we learn that it's not just directly federal employees, but indirectly contractors.

      Wou

  • by turkeydance ( 1266624 ) on Friday June 12, 2015 @06:52PM (#49901371)
    it's Out There. All of it.
  • by Anonymous Coward on Friday June 12, 2015 @06:54PM (#49901385)

    The SF86 data is essentially designed to track and identify every aspect of federal employees lives and backgrounds which would make them a target of extortion or blackmail by foreign intelligence.

    Instead of keeping those records in distributed and isolated/compartmentalized silos(where the scope of any individual security failure would be non-catastrophic) where the cost-to-benefit ratio of data ex-filtration was much less attractive: they consolidated all of this data in one place where a single chink in the armor would allow an adversary to acquire the sum total knowledge in existence of their entire classified documents workforce...

    TLDR: Morons put the 2nd largest and most expensive collection of blackmail material in the history of mankind(The Vatican "Archives" being the obvious #1) in a single place behind a padlock("hacker proof security" seems about as elusive to find in the wild as big foot) and then act shocked when they essentially gift wrapped a knife to cut through the fog of war for APT.

    The ironic implication of this now is that the best defense against security threats is to disqualify anyone who had a security clearance previously from owning one an either:

    A) Clean slate. Go back to the old way of doing things(until this happens again) and get a fresh batch of leverage,err... I mean "federal employees".
    or
    B) Abolish the idiotic system entirely. The spying incidents which the system was designed in reaction too were conspicuous absent of any spies who would have failed the background check process.

    Get rid of ITAR/USML while you're at it!

    Hell, why not just say "fuck it"?
    Take the MAD approach and open source everything. When Predator drones are being 3d printed in people's basement the tree of liberty should get watered way more often.

    Maybe without the illusion of secrecy, the nonsense secret squirrel playground games which caused WWII and WWIII will finally stop. While China is embroiled in a domestic insurgency/civil war America can laugh all the way to the bank.

    • Your TL;DR is longer than your actual post. TL;DR.

      the nonsense secret squirrel playground games which caused WWII and WWIII

      Uh... okay then, buddy. Remind me why this is modded up?

    • by Rich0 ( 548339 )

      Instead of keeping those records in distributed and isolated/compartmentalized silos(where the scope of any individual security failure would be non-catastrophic) where the cost-to-benefit ratio of data ex-filtration was much less attractive: they consolidated all of this data in one place where a single chink in the armor would allow an adversary to acquire the sum total knowledge in existence of their entire classified documents workforce...

      Never underestimate the power of cost-cutting. Having data in one place also increases its utility, if for example there is a need to mine this data for some pattern (trying to find a mole based on disclosed past associations or whatever). An obvious use for having access to all of this data would be to match up the disclosed relationships/etc to every Facebook friend pairing and phone call on the planet and seeing what was left out.

      At work we do all kinds of stupid stuff over quests to save $50 here or t

    • The SF86 data is essentially designed to track and identify every aspect of federal employees lives and backgrounds which would make them a target of extortion or blackmail by foreign intelligence.

      Well, I guess there is a good chance that over the next few years we'll be able to see the practical outcome for more than a few nitwits here that have loudly proclaimed they would rather be spied on by China than the US government. ( I'll bet they have your credit card info and bank accounts too. ) Good luck with that. After all, what could possibly go wrong?

      • I'm pretty sure that there's minimal overlap between the set of people who "would rather be spied on by China than the US government" and people who fill out the SF86.

  • Hey I thought OPM stood for Other People's Money.
  • Most words, anyway.

    Holy... Deleted... Expletives...

  • OK, I'll bite. (Score:2, Insightful)

    by ledow ( 319597 )

    "U.S. officials privately said China was behind it."

    Which officials, and why won't they speak on-record? Because they know that, stupidly, they've said that cyber-attacks could be seen as an act of war. And none of them are stupid enough to directly declare war on China on the basis of fuck-all evidence beyond "we got hacked, looked like the last hop had a whois somewhere in China".

    This isn't enough to put in the papers, this isn't enough to act upon, but fuck if the US won't let *that* stand in their way

    • "U.S. officials privately said China was behind it."

      Which officials, and why won't they speak on-record?

      An on-the-record statement is a much bigger diplomatic statement. We don't usually speak on-the-record about the hostile or criminal acts of a foreign power unless we have a very good diplomatic reason to. We know that Putin backs Kaderov, a thuggish head of state who personally tortures people on exercise equipment and disappears reporters critical of his regime, but it would be unusual to have the White House announce that Putin was doing that. It would also require us to be prepared for the inevitable

    • by Rich0 ( 548339 )

      You have NO WAY of knowing whether China are doing this, officially or not.

      Not sure who you meant by "you." If you mean the average slashdotter, then obviously you're right. If you're talking about the CIA/FBI/etc, it is hard to say what they could reliably know. Obviously merely knowing that the attack from China doesn't help much, other than to make the argument that the Chinese need to crack down on online crime more. However, for all we know the US has some agents at high levels in the Chinese government, etc.

      But, the US isn't making any official accusations. Random polit

    • by BLKMGK ( 34057 )

      You know what, I don't give a flying hoot if it was China, North Korea, Russia, or some punk in Germany taking a whizz who whacked them. Frankly if they did this they did a damn good job and I'm impressed and hope like fuck we're doing the same thing to them. It's the JOB of spies to try to take stuff like this right?

      And isn't it the JOB of the assclowns who have this data in their possession to PROTECT IT?! I work for a commercial company and we have ooddles of rules that force us to encrypt data, protect

  • really, no reason whatsoever to believe the government of china did it. Lot's of others with more motive for instance.

    So if someone uses an ip "located" in the US is the US government responsible? Obviously not. Even if it were a known government ip, the likelihood is just as great (actually greater) that it was just a hacked machine being used by someone else.

    Don't give the lay public the idea that WE HAVE ANY FUCKING IDEA "WHO" did this, we don't.

  • by mschaffer ( 97223 ) on Friday June 12, 2015 @07:14PM (#49901479)

    With security like this, who needs Snowden?

    • Whose to say that Snowden's revelations didn't make this possible? He worked pretty hard to bypass the security on that network and that experience is no doubt highly valuable to various organizations and nations, ... and he does have unaccounted for time in Hong Kong (minus the time he spent at the Russian Embassy). (Have you noticed that China and Russia are pretty chummy these days?) I'm pretty sure we have not seen the full contents of those 1,700,000 NSA documents and 800,000 DoD documents. Do you

      • by dbIII ( 701233 )

        He worked pretty hard to bypass the security on that network

        You are a bit behind the times. The news from when it came out was that he had full access and didn't have to do that at all.

        (Have you noticed that China and Russia are pretty chummy these days?)

        China and EVERYBODY are chummy - they don't care who you are and what you do so long as you have cash, a UN vote, fishing rights, or something to dig up.

  • by sideslash ( 1865434 ) on Friday June 12, 2015 @07:16PM (#49901489)
    The NSA has been hacking pretty much everybody in the world and their little sister, so nobody should be shocked when the same thing happens to us.

    The real kicker is the perennial lecture from clueless politicians about how we should put back doors into all our private sector encryption so law enforcement can take a peek whenever it likes. Because our information will be safe with the government. *snort*
  • The folk at OPM should have been well aware that someone, somewhere would really like to get their hands on that information. The lack of protection mentioned in the news around OPM records is simply hilarious.

    You'd think that the sort of data that OPM stores would be kept on air-gapped machines in a prepper's-fantasy facility without cell phones, under a mountain, etc... but no, that would be too logical. Instead, they may as well have stored the stuff on a public library computer.

    Whoever hacked OPM is not

    • by KGIII ( 973947 )

      Instead, they may as well have stored the stuff on a public library computer.

      Thanks, asshole. That is where I keep my financial data. I will have to change that now. Now I will have to store it at Google's "free" data storage "in the cloud." At least it will be secure there.

    • by Rich0 ( 548339 )

      Obviously air-gapping would help a lot here. However, I hear a lot of talk of encryption, and I don't really see how that would help.

      Encryption really only protects data at rest. Encrypting your backup tapes before mailing them to a repository prevents their loss in transit, which is a significant risk.

      On the other hand, if I encrypt my hard drive that isn't going to do me any good at all if somebody hacks into the system while that drive is mounted. Personnel records seem at least reasonably likely to b

  • by Anonymous Coward

    If the NSA spent their time making the cyber defenses of this country stronger instead of making it weaker with compromised encryption, rampant back doors, etc., there's a good chance this data breach would not have happened.

    • If the NSA spent their time making the cyber defenses of this country stronger instead of making it weaker with compromised encryption, rampant back doors, etc., there's a good chance this data breach would not have happened.

      That is an extremely important point. The NSA is charged with protection of U.S. government communications and information systems against penetration and network warfare. Thus, the SF86 breach is a clear failure of the NSA. Had the NSA kept its focus on what it is supposed to be doin

  • Some SF86 data has been copied? By definition this data is no longer secret. In the world of intelligence twisted legal logic does not work, such as announcing that the data is still secret and, thus, should remain classified. Beans have been spilled, make a first step and admit it.

    The second and last step, In order to prevent blackmail is to make the data available for public. Once it is public, nobody can blackmailed.

  • I worked for the government for 40 years and had a top secret clearance. IMHO security clearances were pretty much worthless. I had people working for me that should have not been cleared however, I had no direct evidence to keep them from obtaining a clearance. They were pretty much a rubber stamp. I expect you could google and find out most of the stuff contained in the clearance (which I never saw).
  • by koan ( 80826 )

    The recent breach by the Chinese Government

    This has been proven conclusively?

  • by Anonymous Coward

    So... The US government isn't cool about having its info compromised. I say tough shit for them -- it's nice to see them stewing for a change.

  • Come on guys/gals, it's obvious that this was a honey pot. They didn't catch a bear but I'm sure there are dragon prints all over the place and major laughter from team USA.

  • Well then, if all these employees have done nothing wrong, then they have nothing to hide, do they?

    If they have indeed done something wrong, then they should be prosecuted to the full extent of the law.

    Problem solved, you're welcome.

    • by BLKMGK ( 34057 )

      What's this got to do with something having been done wrong? Paperwork shows you in debt? Maybe someone makes an offer. Paperwork shows family in China, Russia, or some other country? Maybe you get a phone call and find out that they're in a bit of trouble that you can help them with. You lack imagination to say the very least.

      BTW if you go through one of those investigations and they find criminal wrong doing they prosecute you, it's often the FBI or their minions who do them. When I was questioned about a

  • Folks, you are missing a major point: if the hack was originated from China, then the grunt of consequences will be on cleared Chinese Americans. You see, most of them still have family members back home thus they're incredibly exposed to manipulation. And U.S. is well aware of that. So government might start dropping those clearances - people's jobs will be in jeopardy.

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...