Sen. Ron Wyden Says CISA Data Collection Could Put Americans At Risk 58
blottsie writes: In a new interview, Sen. Ron Wyden (D-Ore.) says the Cyber Information Sharing Act of 2015 (CISA) may put more Americans at risk because the U.S. government has failed to learn the right security lessons from the attack on the Office of Personnel Management. He says, in part: "I've been watching as this goes forward—there's this phrase going around the cybersecurity community, 'If you can't protect it, don't collect it.' Now, there is never going to be a system that's 100 percent safe. But what I'm going to start [saying] on the floor as we get to this [CISA debate], is, you give the government a huge new trove of personal information about Americans before you've addressed the problems that were documented all the way back to 2007—those security holes—before you address those, [before] you plug them, that's like responding to a bear attack by stockpiling honey. That's going to be how I open the debate."
And what about after the security is up to snuff? (Score:2)
Who's willing to bet that, *after* the security measures are in place up to Congress's "standards" (they have no clue, they're just going on what other people tell them), Senator Wyden would be completely in-line with the mass surveillance camp?
Re:And what about after the security is up to snuf (Score:5, Informative)
Some examples:
http://www.theatlantic.com/pol... [theatlantic.com]
http://www.huffingtonpost.com/... [huffingtonpost.com]
http://www.newsmax.com/Newsfro... [newsmax.com]
Re: (Score:3)
Re: (Score:1, Offtopic)
Disclaimer - I live in Oregon.
Wyden is not a member of a party that I tend to vote for, and his recent vote on the Iran deal (among others) leaves me rather disgusted at him for being not much more than a party toadie when it comes to most issues. That said, I will freely admit that he's a lot more clued-in on technical issues than damned near everyone else in the Senate, and has done more for tech than nearly anyone else there.
The US gov't is fundamentally incompetent (Score:4, Insightful)
No security measure can fix that.
Hell, OPM handed out root access to "workers" remoting in from China, for fuck's sake. And the clowns who did it are still not in jail.
It starts at the top, too. Just listen to Hillary! apologists making excuses for her and her classified emails in her fucking basement, all because they - for some strange reason - think Hillary! is on "their team", whatever team that may be.
Re:The US gov't is fundamentally incompetent (Score:4, Interesting)
think Hillary! is on "their team", whatever team that may be.
Their team means someone in Hillary's administration, directly or indirectly, is going to help them advance their career and make more money if they support her.
Good old fashioned graft.
Re: (Score:1)
think Hillary! is on "their team", whatever team that may be.
Their team means someone in Hillary's administration, directly or indirectly, is going to help them advance their career and make more money if they support her.
Good old fashioned graft.
There is no team in central banksters, only the pedophiles for which the White House has become a mouth piece for since they did JFK. When it comes to being a US citizen, you're screwed either way.
Re:The US gov't is fundamentally incompetent (Score:5, Insightful)
The question is not whether an email server at home is less (or more) secure than one hosted by the NSA. It doesn't matter.
Email is a fscking postcard! nothing of a classified nature should be sent unencrypted, no matter who is hosting it.
Re:The US gov't is fundamentally incompetent (Score:5, Insightful)
And even that misses the damn point: government communications need to be stored on official servers so that they can be properly supplied in response to FOIA requests. At best, hosting them privately was an attempt to circumvent public oversight, and therefore (IMO) grounds for immediate disqualification for any further public office. That's before even thinking about security issues!
Re: (Score:2)
That's an argument I could get behind, but it's not the one I've been hearing.
All I've been hearing about was whether America's secrets were put at risk. If they were sent by email, then they were. If the State Department (or any other government agency) is using email to handle classified material, then they have been risking those secrets.
Re: (Score:1)
Generally the law is vague such it doesn't dictate HOW it gets stored.
If one sends to or CC's a gov't server, which would normally or often be the case for work stuff, then generally it will get backed up in a way that satisfies the requirement (at least if backups are done properly, which they often weren't in practice, but that's another issue.)
If H forgot to follow this "copy" guideline, then there may be a legitimate complaint. But so far nobody has claimed a definitive specific case of such slippage.
Re: (Score:3)
MOST organizations are lacking in this area. I've seen no evidence that the US government is more lax than private industry. If you have reliable stats on that, please show them.
If you want a somebody or something to bash, then bash human nature, not government in particular. Organizations of all types and cultures have consistently sucked on info security.
Re: (Score:3)
Re: (Score:3)
Come on, I hacked that bastard last week, unfortunately I didn't get anything as my computer started acting wonky right afterwards.
Govt is required to be worse. FOIA, MD5 (Score:3)
Based on 20 years of experience in both, my experience is that I'd rank private industry 3/10 and government 1/10. The nature of the type of government we seek to have means we often have to balance priorities like openness and fairness against things like efficiency and security.
For one clear example, consider the "need to know" versus the Freedom of Information Act. A private organization publishes about themselves what they want to publish*. They don't publish anything about their network infrastructure
Re: (Score:2)
We WANT changes to the government which controls so much of our lives to be done carefully, thoughtfully, slowly.
Yeah, you mean like the USAPATRIOTACT, the 2,000+ pages of wholly unconstitutional tripe that was SUPPOSEDLY written in, "Reviewed" and PASSED in TWO WEEKS?!?
Al anyone has to do in Gummint is utter the magic phrases "Terrorism", "War on Drugs", or "For the Children", and Congress falls all over itself to pass whatever horseshit is placed before them. Most don't even read the stuff. I GUARANTEE no one read the USAPATRIOTACT (heck, that ACRONYM should have taken Two Weeks to come up with!).
So please, cry
proves me point, doesn't it (Score:2)
>> We WANT changes to the government which controls so much of our lives to be done carefully, thoughtfully, slowly.
> Yeah, you mean like the USAPATRIOTACT, the 2,000+ pages of wholly unconstitutional tripe that was SUPPOSEDLY written in, "Reviewed" and PASSED in TWO WEEKS?!?
I said the changes to the government should be done carefully, thoughtfully, slowly. When Congress works quickly, we end up with the patriot act. Kinda proves that we don't want Congress acting rashly, quickly, and reckles
H's Server (Re:The US gov't is fundamentally incom (Score:5, Interesting)
I don't see H's server choice as a security argument. The "regular" office server, the one she should have been using, was not designed for classified info either and there's no evidence it had better general security than her "home" server.
There are plenty of other reasons to criticize her actions, but "security" is not one of them.
I suppose one could argue she was more likely to mix up personal and work email, but that can happen regardless. One can mistype the destination on any device or email service. Such an argument is splitting hairs on what kind of typo is most likely, which is probably personality specific such as to make it highly speculative. The kinds of mistakes I make often have a different pattern than those of others. It's one of the reasons I welcome wide feedback on any of my draft UI designs.
Re: (Score:2)
Are you sure about that argument?
http://politics.slashdot.org/s... [slashdot.org]
Re: (Score:2)
We don't have an equivalent analysis of the "regular" gov't office server to compare here. And the comments suggest the home box used typical industry settings of SMTP servers.
I have no reason to believe the "office" (gov't) server would not have typical settings also. Again, it was not designed nor intended for classified info.
They allegedly had another system for classified stuff, but they cannot talk a lot about it for obvious reasons. I'm assuming we are talking about "regular" non-classified emails. If
Re: (Score:2)
The specific settings listed wouldn't have passed the DISA STIGs which are required to be adhered to on a government system that is placed on the public internet. So no, the government system would not be using an outdated version of SSL or have an insecure set of encryption standards enabled on the TLS protocol of the SMTP server.
I don't feel like looking it up, but I am sure there is somewhere you can get information about the security posture of State's mail servers; though this could be considered priv
Re: (Score:2)
"D" stands for "Defense". It wasn't a defense agency. I'll give you some kudo points if you can show that her agency was subject to DISA STIGs at the time, and more kudo points if you can show that the office server in question passed a review.
Re: (Score:1)
The article does not have specifics on the scope. Yes, it does say some non-defense organizations use it, but is rather fuzzy beyond that. Did I miss something?
Re: (Score:1)
I don't see H's server choice as a security argument. The "regular" office server, the one she should have been using, was not designed for classified info either and there's no evidence it had better general security than her "home" server.
There are plenty of other reasons to criticize her actions, but "security" is not one of them.
I suppose one could argue she was more likely to mix up personal and work email, but that can happen regardless. One can mistype the destination on any device or email service.
You don't use outside servers precisely because you know people aren't perfect. In an environment where you deal with a mix of classified and unclassified you always build your systems and procedures around the possibility of classified information being placed on an unclassified system. There are procedures in place for mitigating when something is inadvertently put on an internal server, which is a big reason why you use the organizations internal servers for all official communications and document s
Re: (Score:1)
Your "should have" statements seem to apply equally to a home and office server. Great advice in general, but I don't see it applicable per "blame math" in this case. H is not a server admin.
Further, how are you defining an "outside server"? If the "office" server is available to the outside Internet, it's just as "outside" as a home server (barring any additional specific details).
As far as sending classified info thru unclassified servers, the devil is in the details, which we don't have. As I mentioned n
Re: (Score:2)
I don't see H's server choice as a security argument. The "regular" office server, the one she should have been using, was not designed for classified info either and there's no evidence it had better general security than her "home" server.
There are plenty of other reasons to criticize her actions, but "security" is not one of them.
I suppose one could argue she was more likely to mix up personal and work email, but that can happen regardless. One can mistype the destination on any device or email service. Such an argument is splitting hairs on what kind of typo is most likely, which is probably personality specific such as to make it highly speculative. The kinds of mistakes I make often have a different pattern than those of others. It's one of the reasons I welcome wide feedback on any of my draft UI designs.
It's her own security she was concerned about.
I have wondered how many of those 'personal' emails she had scraped off the system before handing it in would have showed conflict of interest with regard to Clinton financial dealings that mixed just a bit with being in very high positions of US government.
Re: The US gov't is fundamentally incompetent (Score:1)
Re: (Score:3)
Priorities (Score:4, Interesting)
It doesn't matter if a terrorist gets your data. Terrorists can't vote. It's the citizens you got to watch out for, you need enough data on them to make sure you'll know how they'll vote before the candidates are even announced. This way you also know how to redistrict and which empty promises to make.
Re: (Score:1)
It's how the Winnie Industrial Complex started.
Re: (Score:2)
Hey, its better than the Pooh Complex...it smells better too!
Re: (Score:1)
I avoided a joke about that word on purpose. It looks like you stepped in it instead. (Pun intended but not officially admitted to.)
Can we get a car analogy instead? (Score:2)
>> that's like responding to a bear attack by stockpiling honey
Can we get a car analogy instead? Maybe something with swimming pools for the yokels?
Re: (Score:2)
Its like responding to car theft by filling your gas tank.
Re: (Score:2)
More like filling your car with all your valuables and not even locking the doors.
Re: (Score:3)
oooh...responding to your GPS being stolen from your car, by taking all of the valuables in your bank safe deposit box and keeping them on the passenger seat instead.
Keep the data secure by NOT COLLECTING (Score:3, Insightful)
If you aren't collecting it, it's going to be far more secure in the long run.
These idiots who think putting us all under surveillance, or monetizing our personal information, need to be forced to stop this BS legally.
Re: (Score:2)