Another HUGE Security Breach

Maybe the person running Clinton's email server should run the OPM's systems.
 
If it is proven that China is behind this, what would be an appropriate response?
Perhaps a sternly worded letter?:mad2:

PS, So there really is a government agency with the initials OPM?:rofl:
 
Just like how North Korea "hacked" that crappy movie...

Or the WMDs in Iraq

Or.....
 
I guess it is time the OPM replaces its Linksys router.
 
so....what does China care about a list of some 4 million names and SS numbers? :eek:
 
pbramlett said:
I guess it is time the OPM replaces its Linksys router.
Click to expand...

Dang! Everybody knows the password to that one. Now they'll all have to learn a new one...
 
JOhnH said:
If it is proven that China is behind this, what would be an appropriate response?
Perhaps a sternly worded letter?:mad2:
Click to expand...

Considering recent revelations regarding the U.S. government's spying, snooping, and surveillance activities, I'm not sure how seriously our righteous indignation will be taken overseas.

JOhnH said:
PS, So there really is a government agency with the initials OPM?:rofl:
Click to expand...

It is one of the more amusing government acronyms. :yes:

Rich
 
RJM62 said:
Considering recent revelations regarding the U.S. government's spying, snooping, and surveillance activities, I'm not sure how seriously our righteous indignation will be taken overseas.
Click to expand...

otoh - does anyone think that only the US did spying, snooping, and other surveillance activities?
 
RJM62 said:
Considering recent revelations regarding the U.S. government's spying, snooping, and surveillance activities, I'm not sure how seriously our righteous indignation will be taken overseas.

Rich
Click to expand...
Yeah, well there is that. But if we are going to do it, I want us to be the best at it.
 
JOhnH said:
PS, So there really is a government agency with the initials OPM?:rofl:
Click to expand...

Office of Personnel Management, i.e., HR.

The acronym has been around much longer than other meanings.

They have a lot of personal information, so a breach is very worrisome. Particularly if security clearance applications are affected -- it may not be just applicants who are affected, but their neighbors and friends as well.

The Feds have a number of security restrictions. An uncontrolled Linksys router is not likely the vector. If anything, the security is TOO tight, which leads to an entirely different class of problems, like people using silly passwords (ABCD_abcd_12 is legal, so is F***#You#0PM and Cr@pPassw0rd) or storing them some other place that can be compromised.
 
Last edited:
James331 said:
Just like how North Korea "hacked" that crappy movie...
.
Click to expand...

That was a VERY clever ad campaign. No-one, anywhere, ever, would have gone to see that lame excuse of a movie without that hype around it.
Sony played it extremely well.
 
JOhnH said:
If it is proven that China is behind this, what would be an appropriate response?
Perhaps a sternly worded letter?:mad2:

PS, So there really is a government agency with the initials OPM?:rofl:
Click to expand...

What would your response be?
 
Jimmy cooper said:
What would your response be?
Click to expand...

Do you mean as a spin zone opinion, or presuming I was actually in charge and had to live with the results?

But regardless, the answer is the same.
I don't know what I would do.

That is why I didn't post a suggestion but rather asked for other opinions. Even yours.
 
Jimmy cooper said:
What would your response be?
Click to expand...

You know, I don't think we can really do much about it. The politicians can wax bellicose in their condemnation, but that's just for public consumption. Spying is part of international relations, it always has been, and everyone knows it. Even the Vatican has spies. So the politicians can rant long and loud against China (or whomever); but in truth, everyone knows that we do the same things that they do.

The real question is how does FedGov tighten up its defenses against future cyber-espionage, to which I think the clear answer (and I'm not even kidding) is to contract it out to PayPal.

Despite the sheer number of (mostly-unsophisticated) PayPal users; its ubiquity in both e-commerce and person-to-person money transfers; enough hack value to make every hacker, cracker, and miscreant from prepubescent script kiddies to the dons of the Bratva salivate like Pavlov's dog; the never-ending hack attempts against the company; and the frequency of phishing attempts using the PayPal name, the company has maintained a near-perfect security record. So I say let's farm it out to them. PayPal obviously has a better handle on cyber security than FedGov does.

The other thing I wish would happen as a result of this hack would be repeals of most laws and regulations that allow or require entities to gather and store personal information, in particular the SSN. If FedGov can't even secure its own data, then why does it allow or require so many other people and entities to collect and store our data?

For things like utility company or cell phone credit checks, the possession of the SSN should be ephemeral. As soon as the check is completed, it should vaporize. The same thing should apply to auto insurance companies, etc. Once the credit check is done, the SSN should disappear. If they never store the information in their databases, it can't be stolen.

Also, the insane practice of using the last four digits of the SSN as a de facto PIN number for telephone conversations with bank CSRs has got to stop. That has to be one of the most irresponsible things that the banking industry does -- and that's saying something because they do a lot of irresponsible things.

Rich
 
Mutual spying on foreign countries and their leaders has existed in many forms for eons. The supposedly disturbing issue with U.S. Government spying is the sheer amount of it that has occurred against its own citizens.

Somewhat ironically, Americans generally appear to have no problem whatsoever voluntarily surrendering whatever personal data is required to the government (or Google), as long as they get "free" stuff in return. The general population is quite a principled bunch.

The 9/11 excuse for domestic surveillance is about as weak as any argument could be. You don't have to be a conspiracy theorist to know that the government's ineptitude allowed that event to occur, not a lack of intelligence nor ineffective airport security screening.

With all of that being said, even private companies are now requiring detailed personal information in order to permit the privilege of doing business with them as suppliers or contractors. The U.S Government has perhaps more formal policies and controls than any other domestic organization, but they are also the least likely to be held accountable.


JKG
 
JGoodish said:
Mutual spying on foreign countries and their leaders has existed in many forms for eons. The supposedly disturbing issue with U.S. Government spying is the sheer amount of it that has occurred against its own citizens.

Somewhat ironically, Americans generally appear to have no problem whatsoever voluntarily surrendering whatever personal data is required to the government (or Google), as long as they get "free" stuff in return. The general population is quite a principled bunch.

The 9/11 excuse for domestic surveillance is about as weak as any argument could be. You don't have to be a conspiracy theorist to know that the government's ineptitude allowed that event to occur, not a lack of intelligence nor ineffective airport security screening.

With all of that being said, even private companies are now requiring detailed personal information in order to permit the privilege of doing business with them as suppliers or contractors. The U.S Government has perhaps more formal policies and controls than any other domestic organization, but they are also the least likely to be held accountable.


JKG
Click to expand...

The least likely to be held accountable are big banks, Wall Street. So far no banker of any prominence has done time after the 2007 fiasco. They cost the taxpayer trillions. James Clarke, ( remember him?) yelled about computer security with his hair on fire after 9-11. He was in the Clinton admin. No one listened. We recently got caught listening in on Merkles cell phone. She has done nothing.
 
Jimmy cooper said:
The least likely to be held accountable are big banks, Wall Street. So far no banker of any prominence has done time after the 2007 fiasco. They cost the taxpayer trillions. James Clarke, ( remember him?) yelled about computer security with his hair on fire after 9-11. He was in the Clinton admin. No one listened. We recently got caught listening in on Merkles cell phone. She has done nothing.
Click to expand...

What do you think she can do? Stop the import of German cars, Hack the US Gov't, threaten to leave the UN?

Really, what can she do? Other than cutting the US off her Christmas Card list?
 
RJM62 said:
The real question is how does FedGov tighten up its defenses against future cyber-espionage, to which I think the clear answer (and I'm not even kidding) is to contract it out to PayPal.

Despite the sheer number of (mostly-unsophisticated) PayPal users; its ubiquity in both e-commerce and person-to-person money transfers; enough hack value to make every hacker, cracker, and miscreant from prepubescent script kiddies to the dons of the Bratva salivate like Pavlov's dog; the never-ending hack attempts against the company; and the frequency of phishing attempts using the PayPal name, the company has maintained a near-perfect security record. So I say let's farm it out to them. PayPal obviously has a better handle on cyber security than FedGov does.

The other thing I wish would happen as a result of this hack would be repeals of most laws and regulations that allow or require entities to gather and store personal information, in particular the SSN. If FedGov can't even secure its own data, then why does it allow or require so many other people and entities to collect and store our data?


Rich
Click to expand...

One major reason why PayPal and such companies are way ahead the FedGov with pretty much any IT project is that the brightest, most talented people want to work at PP, not for FedGov.
PayPal offers them a cool place to work, loads of money, fellow hipster coworkers and alot of street cred at the bar with the girls.

FedGov offers none of the above. Instead if offers crazy amounts of red tape, so many glass ceilings you don't know what to do with them, and generally a very non-forward-thinking enviroment.

So if someone is talented, which sounds better: "At PayPal we can offer you pinball machines, 150k/year plus benefits, free Red Bull and infinite potential for promotions" or "At FedGov, since you only have 2 years of experience and no formal education, this puts you in the salary category 416744X subcategory B, which is 38k/year plus benefits. Since you do not have a BSc, the best you will ever be is category 416302Y subcategory Z which is 60k/year after 35 years of service".

Completely made up examples, but that's the general rule on private enterprise vs. FedGov.
 
mtuomi said:
One major reason why PayPal and such companies are way ahead the FedGov with pretty much any IT project is that the brightest, most talented people want to work at PP, not for FedGov.
PayPal offers them a cool place to work, loads of money, fellow hipster coworkers and alot of street cred at the bar with the girls.

FedGov offers none of the above. Instead if offers crazy amounts of red tape, so many glass ceilings you don't know what to do with them, and generally a very non-forward-thinking enviroment.
Click to expand...
Last night I saw an interview with someone working for FedGov and he said almost the same thing. The pay they are able to offer doesn't touch what private industry can offer.
 
Everskyward said:
Last night I saw an interview with someone working for FedGov and he said almost the same thing. The pay they are able to offer doesn't touch what private industry can offer.
Click to expand...

That is a good argument why big FedGov is not a good thing. They will hire substandard people, using tax dollars, doing things they don't need nor know how to do them.

There will always be security issues, if the people who infiltrate systems are more talented and paid more than the people who protect them.
 
MAKG1 said:
Office of Personnel Management, i.e., HR.

The acronym has been around much longer than other meanings.

They have a lot of personal information, so a breach is very worrisome. Particularly if security clearance applications are affected -- it may not be just applicants who are affected, but their neighbors and friends as well.

The Feds have a number of security restrictions. An uncontrolled Linksys router is not likely the vector. If anything, the security is TOO tight, which leads to an entirely different class of problems, like people using silly passwords (ABCD_abcd_12 is legal, so is F***#You#0PM and Cr@pPassw0rd) or storing them some other place that can be compromised.
Click to expand...

password_strength.png

izyuqbwYKNQEG.gif
 
Last edited:
overdrive148 said:
password_strength.png
Click to expand...
The worst part in my opinion is that passwords are so hard for humans to remember that they (1)write them down and leave them where they can be found and often tape them to the computer and/or (2) use the same password everywhere.
 
JOhnH said:
The worst part in my opinion is that passwords are so hard for humans to remember that they (1)write them down and leave them where they can be found and often tape them to the computer and/or (2) use the same password everywhere.
Click to expand...

In the DoD, password requirements have gotten so ridiculous (both in the content requirements and frequency of change) that people have resorted to 'keyboard walks' for their passwords, which are about as easy to hack as 12345 for a password. But, the system sees them as 'strong'. Absolute absurdity.

The next step will be to just take the computers away.

Cyber Awareness: "We haven't done our job until you can't do yours."
 
Modern password hash brute force methods start with the common pw lists and keyboard walks, so b4n4n4 or aW3eDcFt6 will be cracked in a matter of seconds.

correcthorsebatterystaple is a VERY strong password, only if the validation would accept it...
 
mtuomi said:
Modern password hash brute force methods start with the common pw lists and keyboard walks, so b4n4n4 or aW3eDcFt6 will be cracked in a matter of seconds.

correcthorsebatterystaple is a VERY strong password, only if the validation would accept it...
Click to expand...
na....just go with a retna scan....or a provide a dna sample for log in. :lol:
 
Last edited:
mtuomi said:
Modern password hash brute force methods start with the common pw lists and keyboard walks, so b4n4n4 or aW3eDcFt6 will be cracked in a matter of seconds.

correcthorsebatterystaple is a VERY strong password, only if the validation would accept it...
Click to expand...
My point exactly. Yet, that what the stoppid Cyber Security folks have created.
 
I turned down a gig working for the DoD. It paid 10K per year more than the job I took. But, it was a go nowhere job. That was 3 years ago. I'm making about 30K per year more now than I would have been there. Plus having to deposit all my personal possessions and being searched everyday before entering the building wasn't my idea of a good time,

We have a few million tries per day from China attempting to get into our network. They would LOVE LOVE LOVE to have our engineering data.
 
You must log in or register to reply here.
Back
Top