SF86 Data Captured In OPM Hack 173
Etherwalk writes: The security clearance process in the United States includes filling out the 127-page SF86 form, which includes things like the citizenships of all your relatives and housemates, foreign contacts and financial interests, foreign travel, psychological and emotional health, illegal drug use, and many other matters. The recent breach by the Chinese Government apparently included that information for all executive employees up to cabinet level. It's pretty much a gold mine for intelligence work and social engineering of any kind.
SF86 (Score:1)
SF86? Is that some 8086 variant?
Snark begets snark (Score:5, Funny)
No, it's sulfur hexaoctacontafluoride.
Re: (Score:2)
No, it's sulfur hexaoctacontafluoride.
No, it's a really effective sunblock. I think they sell it in Walgreen's
Bah! Media! (Score:5, Insightful)
Re:Bah! Media! (Score:5, Interesting)
Re:Bah! Media! (Score:5, Interesting)
What they mean is that the attackers made off with a database of the financial problems, drug habits, family problems, hidden crimes, and sex fetishes of anybody that's working on anything sensitive.
It's worse than that. Foreign agents might be identifiable through this data. People sleeping with foreign nationals report that, and those foreign nationals might find their own government treats them like a spy now.
People will get killed behind this - likely a large number of people.
Re:Bah! Media! Repent from SIN (Score:5, Informative)
SF86 data is extraordinarily sensitive. What they mean is that the attackers made off with a database of the financial problems, drug habits, family problems, hidden crimes, and sex fetishes of anybody that's working on anything sensitive.
Shouldn't that kind of stuff be only on paper, locked inside some kind of... you know... financial problems drug habits family problems hidden crimes and sex fetishes room?
Tabloid fascination with personal problems or consensual crimes, 'sin' for short --- this whole ability to ruin someone by leaking factual information --- is a known vulnerability of the human condition. One no one wants to fix (it involves losing the moral high ground) or even admit that it is a problem. This means past indiscretions can through blackmail, be used by murders to conceal their crimes, or even drive a blackmailed sociopath on by degrees, to commit murder. In the best of cases it hands the rudder to the most oafish bullies, for the dumbest of reasons. And some brilliant and capable, even trustworthy people find themselves in shit.
Looks like the USG has handed over it all. Beware, my friend, shit winds are a-comin' [youtube.com]
I recommend Peter McWilliams' book AIN'T NOBODY'S BUSINESS IF YOU DO: The Absurdity of Consensual Crimes in a Free Country [bushforpre...ofiraq.com], placed on the web with the deceased author's permission, to help sort out (culturally) what should be an actionable --- or blackmail-worthy --- crime. Also check out this (failed) submission on the DEA [slashdot.org] and my suggestion to implement duress codes [slashdot.org] (like a blackmail canary) into society.
Re:Bah! Media! (Score:5, Informative)
Fetishes are not listed in an SF86. Arrests and convictions are, but those are also public record. You are likely thinking of a lifestyle polygraph. SF86s are not lists of confessions.
I would still say that your overall statement of "extraordinarily sensitive" applies, however. Earlier addresses, tons of contacts to vouch for the person, etc. It's not just the subject of an SF86 who has personal info in their, it's the other people in their lives who have agreed to be interviewed and such as well.
Note that adultery is not generally illegal, nor is it something that would appear on an SF86.
This form is on the web:
http://www.gsa.gov/portal/form... [gsa.gov]
Re: (Score:2)
Now that is fucked up on two completely different levels and even a bit ironic. Electronic voodoo pushed on Hoover's FBI, in the days of kickbacks, by a bondage obsessed comic book writer being used for some very intrusive workplace harassment by idiots that haven't gotten over the idea that you can't own employees like slaves. Your boss does not own your life. Even the military can't stop you from getting married.
Re: (Score:3)
The clearance process includes finding out if you're blackmailable into turning over secrets. So of course they question you about everything enemy spies may use as blackmail material. They're often willing to approve you if you confess all your sins to them - because the spies can no longer use the threat of revealing them to the intelligence agencies to pressure you.
It behoves you to confess ALL of it, because if you leave anything out they'll pull your clearance when they discover it. On the other han
Re: (Score:2)
[Spys] won't blackmail you to the intelligence companies, they will blackmail you by threatening to tell your wife, or creditors, etc.
Your reading comprehension leaves a bit to be desired. That's exactly what I was talking about.
1) To get the clearance you need to tell the US government everything the foreign spooks could use to blackmail you - by threatening to tell wife, creditors, media, etc. Then you need to convince the US spooks you don't care - even if you do.
2) If you left anything out, the US is
Re: (Score:1)
What I don't understand is why you would record all this information.
After you've gathered the information (somehow) and you decide someone's clearance level, what's the point of keeping it? If you grant a certain clearance level, that means that the data is by definition uninteresting, because anything interesting means you won't get clearance.
I also understand that a lot of the information is self-provided, which means it makes even less sense to record it. You can just give people a list of prerequisites
Re: (Score:2)
What I don't understand is why you would record all this information.
After you've gathered the information (somehow) and you decide someone's clearance level, what's the point of keeping it? If you grant a certain clearance level, that means that the data is by definition uninteresting, because anything interesting means you won't get clearance.
So that the gov't can use it to blackmail you into compliance? At least that's how it probably started. I don't get the impression that they do a lot of that since Hoover went away, but they kept all the systems because that's how they always did it. Now it may come back to bite...
Maybe if they hired people who didn't care (Score:2)
Do they actually ask people about this stuff or is the result of background checks?
I would think the right answer for someone working on anything sensitive would be "Sure, I like to smoke pot, I like porn and kinky sex, and I don't give a shit who knows." The person who isn't hiding anything can't be blackmailed.
But I suppose many of these may be family problems -- my wife is a drunk and when she's on a bender I've caught her tag-teaming the Mexican lawn crew, or my son goes down to the park and sniffs bik
Re: (Score:3)
If you don't admit to a past drug problem and they find out about it, you don't get a clearance, or you lose it if you had it. If you tell the truth about it and it's in the past you probably will get a clearance. They ask about it on the SF85 (the form for non-sensitive positions) and people have been denied employment or fired for lying about it.
Re: (Score:2)
If you don't admit to a past drug problem and they find out about it, you don't get a clearance, or you lose it if you had it. If you tell the truth about it and it's in the past you probably will get a clearance.
Though if you whip out a spliff in the interview and assure them that it's your last one, you probavly won't get the clearance.
Re: (Score:2)
Though if you whip out a spliff in the interview and assure them that it's your last one, you probavly won't get the clearance.
Things like that always seemed like they should depend a lot on where/when you are-- I think in parts of the country and for people of certain ages if you *don't* do that you should probably be a little suspect.
Re: (Score:2)
A curious thing about the disclosures, is that your boss *doesn't* get the information that goes into the SF86 (at least if you're a contractor, may be different if you're a civil servant), only the government does. I never had a clearance, but know a lot of people who do, and it's not clear that you're required to disclose all the blackmailable things to the people you might be blackmailed with respect to (e.g. spouses), or just to the government. From what I can tell, I think it's just to the gov't. It
Re: (Score:2)
A jaundiced, skeptical eye would assume that, once in, China would take everything. Or that a previous breach exposed everything already, and that they just got lots of duplicate information (some new, of course).
Are you skeptical of the previous report that "a database containing the personal information of about 4 million current and former federal employees was hacked"? Because that was only part of the truth. Today we learn that it's not just directly federal employees, but indirectly contractors.
Wou
Re: (Score:1)
He's probably referring to the amount of bandwidth used to move the data. Honestly someone should have been watching for mass uploads or downloads.
Re: (Score:2)
How much did they move? A terabyte or so? I move hundreds of gigs a month in and out of my house and I'm just...counts on fingers...one man.
Obviously, they should be paying attention to where these outgoing bulk transfers are going, but the volume of data on its own is small enough to barely make a blip in the stats of a large organization. If it went out ten megs here, 5 megs there as email attachments or whatnot, it would be easy to miss.
Re: (Score:2)
Sony must not have been either when oodles of data got pulled out of them... or those detection measures were not enough.
Even if you are looking for mass uploads or downloads, there is no reason the bad guy wouldn't be willing to have the ex-filtration take a bit longer by spreading it between multiple offsite servers with smaller packages of data and over a longer bit of time.
Re: (Score:2)
But by the time you have this carefully planned, mission impossible style ex-filtration of data in some massively coordinated ballet spanning a huge amount of servers ...
You've probably built a massive infrastructure and an overly complicated control structure and gone to herculean efforts to conceal your efforts.
My bet? Even out of a supposedly secure facility, just metaphorically walk it out the door like you belonged there.
Because there's quite possible a lot of traffic, and unless people are really dia
Re: (Score:2)
Sony must not have been either when oodles of data got pulled out of them... or those detection measures were not enough.
Even if you are looking for mass uploads or downloads, there is no reason the bad guy wouldn't be willing to have the ex-filtration take a bit longer by spreading it between multiple offsite servers with smaller packages of data and over a longer bit of time.
https://hackucf.org/blog/hack-all-the-things-exfiltrating-data-via-dns-requests/ [hackucf.org]
Someone truly interesting in getting data out of a location who had enough access to get it in the first place can virtually certainly get it out electronically. All by the most secure, EAL7-type outbound control will have a way to leak data.
Sony (and most enterprises) are pushing multiple GB/s... If they got in, pretty sure you're not going to find their needles in that haystack in real time. And that's if they don't, as menti
Bandwidth Leak over Time (Score:4, Interesting)
He's probably referring to the amount of bandwidth used to move the data. Honestly someone should have been watching for mass uploads or downloads.
The breach occurred in December, was detected IIRC in April. Plenty of time to move data slowly and prioritize what you take, making you less likely to show a bandwidth spike.
Re:Bandwidth Leak over Time (Score:4, Insightful)
He's probably referring to the amount of bandwidth used to move the data. Honestly someone should have been watching for mass uploads or downloads.
The breach occurred in December, was detected IIRC in April. Plenty of time to move data slowly and prioritize what you take, making you less likely to show a bandwidth spike.
Also, it isn't like they're copying HD video here. A detailed register of every financial transaction you've ever made in your life including every time you dropped a quarter in an arcade machine as a kid might actually only be maybe a gigabyte in size, if that.
You can fit every book ever written on a ~1TB hard drive, uncompressed. A 127 page form doesn't actually take that much space to store.
And of course you can stream the data slowly as you point out, but unless the US is blocking sites like weather/news/etc this kind of bandwidth barely registers in the noise. If they let people listen to spotify at work that would be vastly more data than what was likely stolen.
if it's somehow accessible by the internet (Score:3, Insightful)
WTF did they think would happen? (Score:5, Interesting)
The SF86 data is essentially designed to track and identify every aspect of federal employees lives and backgrounds which would make them a target of extortion or blackmail by foreign intelligence.
Instead of keeping those records in distributed and isolated/compartmentalized silos(where the scope of any individual security failure would be non-catastrophic) where the cost-to-benefit ratio of data ex-filtration was much less attractive: they consolidated all of this data in one place where a single chink in the armor would allow an adversary to acquire the sum total knowledge in existence of their entire classified documents workforce...
TLDR: Morons put the 2nd largest and most expensive collection of blackmail material in the history of mankind(The Vatican "Archives" being the obvious #1) in a single place behind a padlock("hacker proof security" seems about as elusive to find in the wild as big foot) and then act shocked when they essentially gift wrapped a knife to cut through the fog of war for APT.
The ironic implication of this now is that the best defense against security threats is to disqualify anyone who had a security clearance previously from owning one an either:
A) Clean slate. Go back to the old way of doing things(until this happens again) and get a fresh batch of leverage,err... I mean "federal employees".
or
B) Abolish the idiotic system entirely. The spying incidents which the system was designed in reaction too were conspicuous absent of any spies who would have failed the background check process.
Get rid of ITAR/USML while you're at it!
Hell, why not just say "fuck it"?
Take the MAD approach and open source everything. When Predator drones are being 3d printed in people's basement the tree of liberty should get watered way more often.
Maybe without the illusion of secrecy, the nonsense secret squirrel playground games which caused WWII and WWIII will finally stop. While China is embroiled in a domestic insurgency/civil war America can laugh all the way to the bank.
Re: (Score:2)
Your TL;DR is longer than your actual post. TL;DR.
the nonsense secret squirrel playground games which caused WWII and WWIII
Uh... okay then, buddy. Remind me why this is modded up?
Re: (Score:3)
Instead of keeping those records in distributed and isolated/compartmentalized silos(where the scope of any individual security failure would be non-catastrophic) where the cost-to-benefit ratio of data ex-filtration was much less attractive: they consolidated all of this data in one place where a single chink in the armor would allow an adversary to acquire the sum total knowledge in existence of their entire classified documents workforce...
Never underestimate the power of cost-cutting. Having data in one place also increases its utility, if for example there is a need to mine this data for some pattern (trying to find a mole based on disclosed past associations or whatever). An obvious use for having access to all of this data would be to match up the disclosed relationships/etc to every Facebook friend pairing and phone call on the planet and seeing what was left out.
At work we do all kinds of stupid stuff over quests to save $50 here or t
Re: (Score:1)
The SF86 data is essentially designed to track and identify every aspect of federal employees lives and backgrounds which would make them a target of extortion or blackmail by foreign intelligence.
Well, I guess there is a good chance that over the next few years we'll be able to see the practical outcome for more than a few nitwits here that have loudly proclaimed they would rather be spied on by China than the US government. ( I'll bet they have your credit card info and bank accounts too. ) Good luck with that. After all, what could possibly go wrong?
Re: (Score:2)
I'm pretty sure that there's minimal overlap between the set of people who "would rather be spied on by China than the US government" and people who fill out the SF86.
Re: (Score:1)
Re: (Score:1)
This. The SF-86 forms contained the self-reported information, not the results of the background checks. It's enough to be damaging to some people, but it's not the real crown jewels of the security clearance process, from what's been made public at least. Those are elsewhere, probably in that salt mine that the parent poster mentioned.
The weird thing is that Wired reports that the breach was discovered during a sales demo [wired.com] for security software. So, did the security vendor's salesmen have access to the
LOL TLAs NFG FFS? (Score:1)
Words fail (Score:1)
Most words, anyway.
Holy... Deleted... Expletives...
OK, I'll bite. (Score:2, Insightful)
"U.S. officials privately said China was behind it."
Which officials, and why won't they speak on-record? Because they know that, stupidly, they've said that cyber-attacks could be seen as an act of war. And none of them are stupid enough to directly declare war on China on the basis of fuck-all evidence beyond "we got hacked, looked like the last hop had a whois somewhere in China".
This isn't enough to put in the papers, this isn't enough to act upon, but fuck if the US won't let *that* stand in their way
Formal Accusations are a Big Step (Score:3)
"U.S. officials privately said China was behind it."
Which officials, and why won't they speak on-record?
An on-the-record statement is a much bigger diplomatic statement. We don't usually speak on-the-record about the hostile or criminal acts of a foreign power unless we have a very good diplomatic reason to. We know that Putin backs Kaderov, a thuggish head of state who personally tortures people on exercise equipment and disappears reporters critical of his regime, but it would be unusual to have the White House announce that Putin was doing that. It would also require us to be prepared for the inevitable
Re: (Score:2)
You have NO WAY of knowing whether China are doing this, officially or not.
Not sure who you meant by "you." If you mean the average slashdotter, then obviously you're right. If you're talking about the CIA/FBI/etc, it is hard to say what they could reliably know. Obviously merely knowing that the attack from China doesn't help much, other than to make the argument that the Chinese need to crack down on online crime more. However, for all we know the US has some agents at high levels in the Chinese government, etc.
But, the US isn't making any official accusations. Random polit
Re: (Score:2)
You know what, I don't give a flying hoot if it was China, North Korea, Russia, or some punk in Germany taking a whizz who whacked them. Frankly if they did this they did a damn good job and I'm impressed and hope like fuck we're doing the same thing to them. It's the JOB of spies to try to take stuff like this right?
And isn't it the JOB of the assclowns who have this data in their possession to PROTECT IT?! I work for a commercial company and we have ooddles of rules that force us to encrypt data, protect
no reason to believe governemnt of china did it (Score:1)
really, no reason whatsoever to believe the government of china did it. Lot's of others with more motive for instance.
So if someone uses an ip "located" in the US is the US government responsible? Obviously not. Even if it were a known government ip, the likelihood is just as great (actually greater) that it was just a hacked machine being used by someone else.
Don't give the lay public the idea that WE HAVE ANY FUCKING IDEA "WHO" did this, we don't.
With security like this... (Score:3)
With security like this, who needs Snowden?
Re: (Score:1)
Whose to say that Snowden's revelations didn't make this possible? He worked pretty hard to bypass the security on that network and that experience is no doubt highly valuable to various organizations and nations, ... and he does have unaccounted for time in Hong Kong (minus the time he spent at the Russian Embassy). (Have you noticed that China and Russia are pretty chummy these days?) I'm pretty sure we have not seen the full contents of those 1,700,000 NSA documents and 800,000 DoD documents. Do you
Re: (Score:2)
You are a bit behind the times. The news from when it came out was that he had full access and didn't have to do that at all.
China and EVERYBODY are chummy - they don't care who you are and what you do so long as you have cash, a UN vote, fishing rights, or something to dig up.
Re: (Score:2)
Schadenfreude on so many levels (Score:5, Insightful)
The real kicker is the perennial lecture from clueless politicians about how we should put back doors into all our private sector encryption so law enforcement can take a peek whenever it likes. Because our information will be safe with the government. *snort*
Re: (Score:2)
And now some people are estimating how many billions of dollars the US economy is losing as the world shops elsewhere for cloud computin
Encryption? Air-gapping? Pah! That's for pansies! (Score:2)
The folk at OPM should have been well aware that someone, somewhere would really like to get their hands on that information. The lack of protection mentioned in the news around OPM records is simply hilarious.
You'd think that the sort of data that OPM stores would be kept on air-gapped machines in a prepper's-fantasy facility without cell phones, under a mountain, etc... but no, that would be too logical. Instead, they may as well have stored the stuff on a public library computer.
Whoever hacked OPM is not
Re: (Score:1)
Instead, they may as well have stored the stuff on a public library computer.
Thanks, asshole. That is where I keep my financial data. I will have to change that now. Now I will have to store it at Google's "free" data storage "in the cloud." At least it will be secure there.
Re: (Score:2)
Obviously air-gapping would help a lot here. However, I hear a lot of talk of encryption, and I don't really see how that would help.
Encryption really only protects data at rest. Encrypting your backup tapes before mailing them to a repository prevents their loss in transit, which is a significant risk.
On the other hand, if I encrypt my hard drive that isn't going to do me any good at all if somebody hacks into the system while that drive is mounted. Personnel records seem at least reasonably likely to b
This is the NSA's fault (Score:1)
If the NSA spent their time making the cyber defenses of this country stronger instead of making it weaker with compromised encryption, rampant back doors, etc., there's a good chance this data breach would not have happened.
Re: (Score:2)
That is an extremely important point. The NSA is charged with protection of U.S. government communications and information systems against penetration and network warfare. Thus, the SF86 breach is a clear failure of the NSA. Had the NSA kept its focus on what it is supposed to be doin
Transparency is best antidote (Score:2)
Some SF86 data has been copied? By definition this data is no longer secret. In the world of intelligence twisted legal logic does not work, such as announcing that the data is still secret and, thus, should remain classified. Beans have been spilled, make a first step and admit it.
The second and last step, In order to prevent blackmail is to make the data available for public. Once it is public, nobody can blackmailed.
Re: (Score:2)
SF86 data is not secret.
re security clearance info (Score:1)
Wait (Score:1)
The recent breach by the Chinese Government
This has been proven conclusively?
Karma is a bitch (Score:1)
So... The US government isn't cool about having its info compromised. I say tough shit for them -- it's nice to see them stewing for a change.
Jeez don't you think Honey Pot? (Score:1)
Come on guys/gals, it's obvious that this was a honey pot. They didn't catch a bear but I'm sure there are dragon prints all over the place and major laughter from team USA.
Done nothing wrong, nothing to hide (Score:2)
Well then, if all these employees have done nothing wrong, then they have nothing to hide, do they?
If they have indeed done something wrong, then they should be prosecuted to the full extent of the law.
Problem solved, you're welcome.
Re: (Score:2)
What's this got to do with something having been done wrong? Paperwork shows you in debt? Maybe someone makes an offer. Paperwork shows family in China, Russia, or some other country? Maybe you get a phone call and find out that they're in a bit of trouble that you can help them with. You lack imagination to say the very least.
BTW if you go through one of those investigations and they find criminal wrong doing they prosecute you, it's often the FBI or their minions who do them. When I was questioned about a
Think of Chinese Americans! (Score:2)
Re:If it is the Chinese (Score:4, Insightful)
China flexes their hacking skills while security researchers in the USofA worry they'll be jailed as terrorists by their own government?
Yup, I see no problem here.
Re:If it is the Chinese (Score:4, Insightful)
Doubtful. The OPM has been negligent in this area for decades. And they are not the only agency.
A bottom - to - top review and security renovation is critically needed, and should cost closer to $100Bn than not if it's done right. Everything, from .mil and DOD to mainline agencies and even .gov customer service sites, everything.
And not a review. A complete reimagining and reinstallation.
Not going to happen in this Administration, as they fear any analysis.
The fiasco of our former Secretary of State running a private server at their own residence for official email is a example of the utter and total lack of actual information security in our government, a situation that (or should be) intolerable.
But, politics.
Bullshit ... (Score:3)
... you're placing this at the feet of Republicans and Democrats when you don't know bullshit from wild honey.
OPM is not a fucking Super PAC.
It's the government. It's federal employees, managers, administrators, people who, by and large, are not subjected to turnover.
You're not going to solve this with the goddam vote.
Go home.
Re: (Score:1)
I have re-opened this page because of your comment. It made me think... Perhaps this is just a new strategy? See, now all the people in the US Intelligence field are now compromised. The only logical solution is to fire them all as they can no longer be trusted. So they should be fired and replaced with new people who will follow the laws and stop doing needless spying on the citizens of this country. Perhaps...
I can dream, can't I? Marijuana may have been involved but I think the logic is still sound thoug
Re: (Score:3)
Your logic is no more flawed than the crazy thinking of people in charge of the nation's security and can't get it right.
I'll bet you a hundred dollars to a whole in a doughnut that one or both of the following are true:
1.) The nation's computer systems are unpatched
2.) Government employees got phished by email or web link.
What say you?
Re: (Score:1)
That is far more likely but, damn it, it would be nice to see.
Re: (Score:2)
"people in charge of the nation's security"? I give up, just who is that? The FBI? They aren't claiming it. NSA is interested in data collection and analyzing, not protection. DoD? They do not have the job because it is a domestic problem. CIA? They are foreign intelligence. TSA? They aren't in the business of protecting industry or the government's computer systems.
There is no one in charge of the nation's security. And just about everyone on Slashdot would be whining about government overreach if there we
Re: (Score:2)
Your observations are correct, but too narrow, I think.
When we discovered how to preserve fire millions of years ago (experts disagree about the date) we surely burned our encampments and the woods around us until we realized that, while very much desirable, fire was the devil's only friend.
The Internet is so damn useful that the planet grabbed it and ran with it.
The whole goddam Internet is at broken, security-wise, and it's because of early adoption with no vision for the future.
Like fire, we have to revi
Re: (Score:2)
when you don't know bullshit from wild honey.
Whoa - back up a second. There's a saying I never heard before. Where did that one come from?
Re: (Score:2)
My momma used to say that up in Northeast Texas where we have a lot of both.
Re: If it is the Chinese (Score:2)
The word I used was 'reimagining'.
As in 're imagining'.
Please read my posts. Skimming them yields unpredictable results.
Re: (Score:2)
I absolutely read that as reimaging. You said "reimagining and reinstallation", but look at it contextually. You would re-image a drive and re-install. If you were re-imagining you would expect the next word to be at that same "level"- for instance, "reimagining and reimplementing" or something.
It's spelled correctly and works fine, but it's definitely not the best way to communicate it because it segues into that easy misunderstanding- something that wouldn't have occurred to me if I was writing it, e
Re: If it is the Chinese (Score:2)
And youmissed my point.
The entire security process of our federal government needs to be changed, replaced, re-imagined, bottom to top, alkyl agencies, entirely.
Are you still thinking this most recent example is just a problem? Or is it a symptom?
Big picture. Big problem. Solve it all or don't bother.
Re: (Score:2)
We had a chance in 2001/2002 when the CIA was shown to have dropped the ball, but it was led by a guy who was good friends with a cheerleader turned President who didn't have the guts to cut out the dead wood.
Re: (Score:1)
Yes, it does! What needs to happen is the clueless logic that Compliance (i.e. NIST 800-53, ICD-503, SOX, PCI-DSS, etc) IS Security needs to change.
Compliance != Security
Apparently the OPM was "accredited" under FISMA so that at one point they were "compliant" so that, in government/regulatory speak, means you are secure...
I fail to see any reason to change anything as long as we keep throwing more and more useless and idiotic regulations and compliance mechanisms at the problem, eventually it will be so im
Re: If it is the Chinese (Score:2)
Exactly. A transformational approach.
Re: (Score:1)
You're assuming that the USA has the best cyberwarfare and cyberdefense capabilities. And you're wrong. China, for one, has already widely proven to be better. I wouldn't be surprised if Russia was too, and maybe even some smaller nations, after all North Korea ridiculed a giant american corporation just 6 months ago.
Re:If... (Score:4, Interesting)
At the very least, we know the Chinese are prolific, but we have no idea if the Chinese are better, the Russians, the United States, the Israelis... heck, maybe the Brits upstaged everyone. It's impossible to know.
Re: (Score:1)
Actually we DO know that China was able to hack the US government networks multiple times and retrieve top secret information, including the F-35 blueprints ( www.rt.com/news/223947-snowden-pentagon-china-hack ). We have no proof that the opposite happened.
Re: (Score:3)
Actually we DO know that China was able to hack the US government networks multiple times and retrieve top secret information, including the F-35 blueprints ( www.rt.com/news/223947-snowden-pentagon-china-hack ). We have no proof that the opposite happened.
You'd have said the same thing about the US/UK cracking Enigma during WW2.
The Chinese might very well be better at this stuff than the US. However, we really have no way of knowing. These sorts of things tend to be covert in nature, and sometimes it is in your interests to brag, and at other times it is in your interests to play your cards close to your chest.
Re: (Score:2)
I don't know the details. I do think that Ultra was more of a UK thing, and Magic was more of a US thing. However, I'm sure there was a fair bit of knowledge sharing going on.
Re: (Score:2)
That might just be because the American hacker-spooks are good enough to not get caught. Or it might be because the Chinese retain tighter control of information, so any breaches on their side are not made known to the public - they choose to keep such things secret rather than endure public humiliation of their government.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Most background information is not self-volunteered, it is gathered by FBI agents, etc., at their own discretion.
Worse, this is all gathered to identify risks, especially those such as potential blackmail and extortion opportunities.
Some of these forms will be for employees (or prospective employees) that were denied clearances, because they were at risk. Now the risk is significantly increased, clearance or not.
ps - there are two good reasons to deny clearance to a transgendered individual:
0. Any ambiguit
Re: (Score:2)
The % of the background check that is the self-volunteered information isn't important, but the fact it exists and can be very compelling in the wrong hands.
Re: (Score:2)
Most background information is not self-volunteered, it is gathered by FBI agents, etc., at their own discretion.
Simply looking at trends around this would be very useful in sneaking moles into government jobs, since it tells you what the FBI typically investigates.
Re: (Score:2)
"Most background information is not self-volunteered, it is gathered by FBI agents, etc., at their own discretion."
First, I'm not sure if this is correct. I'd be surprised if the FBI actually gathers info as part of clearance investigations, for instance.
But more importantly, the leak was SF86 data, right? That would be the forms, not every little detail of every mundane investigation.
Re: (Score:2)
An SF-86 is what you fill out if you're getting a security clearance. If it is SECRET level, they pull a credit report, criminal check, and send postcards to your relatives and references asking questions about you.
If it is TOP SECRET they send investigators out to talk to former neighbors, friends and relatives instead of sending a post card. They do a real investigation.
The big question is whether or not the results of those investigations are kept in the system with the forms. You know, sort of one big f
Re: (Score:2)
The standard SF-86 is 127 pages long. You may add continuation pages as needed for additional information.
The form may also be completed online in the eQip system. Instructions here [slashdot.org] are a bit of fun, especially section 2.
Since the information collected becomes more voluminous and more personal the higher the clearance being requested, the risk and potential damage from disclosure also increases.
Re: (Score:2)
"Most background information is not self-volunteered, it is gathered by FBI agents, etc., at their own discretion."
First, I'm not sure if this is correct. I'd be surprised if the FBI actually gathers info as part of clearance investigations, for instance.
But more importantly, the leak was SF86 data, right? That would be the forms, not every little detail of every mundane investigation.
The FBI doesn't do most of the investigations-- there are various investigating agencies and contractors depending on who you're going to do the cleared work for, but they do indeed do detailed investigations. I've been interviewed a few times for people's investigations, and mostly they ask benign things that you'd be willing to tell anyone (do you know about spouses/partners/dating habits, ever seen the person drink, ever seen them drunk, are they quiet vs. outgoing, do they overshare), but there are prob
Re: (Score:2)
As for point one, merely moving cities or changing jobs gives a lot of people a 'before' and 'after'.
Re: (Score:1)
I had a minimal security clearance when I was in the military. As a civilian I had to do some work on a government facility and had to fill these papers out again. I am not sure why I had to fill them out as I did not encounter anything that should be secret. Anyhow, I filled out the paperwork (as did several other people) and I did so completely honestly. What I find odd is that I was approved though I did need to go to a couple of interviews. I was completely open about my drug history, my affairs, etc...
Re: GOOD (Score:2)
Re: (Score:1)
I have no shame. I can not be blackmailed. I am running for a state office and am ramping up to do this. My entire platform (varied) is based on a single piece of paper. One side is everything I have done wrong (major things only). The other side is what I have learned from these experiences.
Re: (Score:2)
It's not "snooping", you opt into it.
They probably already had it (Score:2)
Re: (Score:2)
Does the place you work have two or more completely separate networks with no access between the inside & outside ones, requiring you two have two PCs on your desk, one for searching Google for how an API works or posting to /., and another you do your sensitive work work on? Probably not.
After 9/11 there was talk about setting up federal systems this way... clearly that still hasn't happened as once you breach a single PC inside of the corporate network, even if that PC doesn't have access to your targ
Re: (Score:2)
Ding ding! Obviously this information wasn't valuable at all since these jackalopes did fuck all to secure it right? Say, I wonder if any of those people who have these clearances have family overseas in areas where they might be vulnerable? Think they reported it? Money issues that might be revealed by salary vs debt? The list is ENDLESS but since they placed it on an internet accessible machine it's obvious that the data was worthless to these idiots. I REALLY REALLY think we need to see a head on the cho