Gov't Employees Union class action suit against OPM for epic fail to protect data
GeneralThis forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Gov't Employees Union class action suit against OPM for epic fail to protect data
No, really, this qualifies as an epic fail by the OPM.
Quote:
In the wake of the OPM breach, members of Congress grilled Archuleta and Seymour in a hearing on the conditions that led to the breach, saying that the agency had completely failed to protect the data of millions of government employees by not implementing database encryption, two-factor authentication, and other basic defenses. The lawmakers grew frustrated with Archuleta and Seymour not answering their questions directly.
Originally Posted by Former NSA Director Michael Hayden
The episode, he says, "is not shame on China. This is shame on us for not protecting that kind of information." The episode is "a tremendously big deal, and my deepest emotion is embarrassment."
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Quote:
Originally Posted by jefro
Hard to sue the Government now isn't it? They can simply refuse to pay. Why not sue China?
Surely the Chinese government was doing exactly what it pays itself to do?
As for the US government -- not very surprising to find they think of their own employees as something they have to scrape off their shoes since it has been apparent for a long time that they view the people who pay them, the "voting" public, as a lower form of life than pond scum.
I find it interesting that "foreign governments" are always fingered, directly or indirectly, in these so-called "data breaches." The instigators are always comfortably "far, far away." And, when the attack vectors are discussed, they always, I think, make one fatal assumption: they trust.
They trust that every entity on a company's or a government's greater network is really trustworthy. That they are, to an employee, the trusted, blue-suited, red-tied paragons of upper-class confidence that they project.
That not one single system anywhere in the trusted network has not been surreptitiously modified(!) ... ... even though the universal availability of open source to all of these key components would make such Trojan Horses both effortless to make and virtually impossible to locate.
That it's perfectly fine to put a data center anywhere, staffed by anyone, in the name of a more competitive "bid."
That, despite the utter lack of professional licensure in the data-processing profession (which, unlike, say, air-conditioning work or homebuilding, is not considered to be a profession at all), and likewise a general absence even of background checks, no one could possibly be ... a mole. Or, a saboteur. Or, what may in the 21st Century one day be seen as "a new kind of enemy soldier."
Most of all, I think that we trust the technology that we've created. We trust it implicitly. To the point: we trust the technology to absolve us from the influences, and the dangers, of human nature and of (to us, "misplaced" ...) simple human ingenuity. There is no place for the rogue, for the thief, nor for the psychopath in any of our oh-so-binary equations. Like the soldiers of Troy, we gaze with (we think ...) justifiable pride at our impregnable walls. But: we do not think like Greeks do. In fact, we much prefer to imagine that Greeks don't exist.
Somebody would not be able to purloin State secrets right out from under everybody's nose ... without inside help. (Very highly placed "inside help.") Ditto everyother such so-called "breach." They wouldn't have even known where the data was. But it so happens that they not only did know, but that they knew how to spirit it away. To get the data from wherever it was hid, to the door, and out the door.
This isn't just a breach of firewalls, crypto algorithms, or security mechanisms: a human conspiracy did these things. Did all these things. And succeeded because we trusted the technology, when we couldn't trust an unknown number of the people who walked to and from the parking lot. (Or, and we may never know, who were thousands of miles away at all times, but, in our employ.) These were not breaches of technology: they were betrayals of trust, perpetrated (of course) by people who felt that they had plenty of "means, motive, and opportunity" both to do the crime and to cover it up.
It always, always, always comes down to: "People. Not bits."
"What fools these Mortals be!" -- Puck
Last edited by sundialsvcs; 07-04-2015 at 07:07 AM.
I find it interesting that "foreign governments" are always fingered, directly or indirectly, in these so-called "data breaches." The instigators are always comfortably "far, far away." And, when the attack vectors are discussed, they always, I think, make one fatal assumption: they trust.
They trust that every entity on a company's or a government's greater network is really trustworthy. That they are, to an employee, the trusted, blue-suited, red-tied paragons of upper-class confidence that they project.
That not one single system anywhere in the trusted network has not been surreptitiously modified(!) ... ... even though the universal availability of open source to all of these key components would make such Trojan Horses both effortless to make and virtually impossible to locate.
That it's perfectly fine to put a data center anywhere, staffed by anyone, in the name of a more competitive "bid."
That, despite the utter lack of professional licensure in the data-processing profession (which, unlike, say, air-conditioning work or homebuilding, is not considered to be a profession at all), and likewise a general absence even of background checks, no one could possibly be ... a mole. Or, a saboteur. Or, what may in the 21st Century one day be seen as "a new kind of enemy soldier."
Most of all, I think that we trust the technology that we've created. We trust it implicitly. To the point: we trust the technology to absolve us from the influences, and the dangers, of human nature and of (to us, "misplaced" ...) simple human ingenuity. There is no place for the rogue, for the thief, nor for the psychopath in any of our oh-so-binary equations. Like the soldiers of Troy, we gaze with (we think ...) justifiable pride at our impregnable walls. But: we do not think like Greeks do. In fact, we much prefer to imagine that Greeks don't exist.
Somebody would not be able to purloin State secrets right out from under everybody's nose ... without inside help. (Very highly placed "inside help.") Ditto everyother such so-called "breach." They wouldn't have even known where the data was. But it so happens that they not only did know, but that they knew how to spirit it away. To get the data from wherever it was hid, to the door, and out the door.
This isn't just a breach of firewalls, crypto algorithms, or security mechanisms: a human conspiracy did these things. Did all these things. And succeeded because we trusted the technology, when we couldn't trust an unknown number of the people who walked to and from the parking lot. (Or, and we may never know, who were thousands of miles away at all times, but, in our employ.) These were not breaches of technology: they were betrayals of trust, perpetrated (of course) by people who felt that they had plenty of "means, motive, and opportunity" both to do the crime and to cover it up.
It always, always, always comes down to: "People. Not bits."
"What fools these Mortals be!" -- Puck
I don't think anyone at OPM has not had a background check especially since they're the ones that deal with security clearances. In my little area of the government you cannot come to work without a background check at a minimum and most jobs these days require a clearance. I'm one of those effected by the OPM breach and OPM has more on me than any system out there simply because of my clearance I finally have a benefit to the credit freeze I initiated all those years ago.
Yes, but the US Government, like so(!) many other "corporations," implicitly trusted promises made by corporate representatives, conveniently forgetting that the contracts issued by those corporations would actually be fulfilled(!) by "imported people" from many thousands of miles away: people who not only "had no 'skin in the game,'" but who might very-well have motivations entirely different from those of the 'suits.'"
We stare at these "data breaches," professing to be "confused" by thoughts of "how, possibly, anyone could have done such a thing," when the answer is blissfully-obvious to anyone who's ever read a penny detective novel.
Okay, let's imagine the next Mission: Impossible movie installment. Tom Cruise's character contrives to send out an e-mail which contains a script that dumps the content of the reader's address-book to Tom's secret account. Armed only with this information, Tom's character proceeds to steal the Crown Jewels of America, unerringly going to precisely the right location and bypassing all of the alarm systems. And your personal bullshit-detector, Dear Movie-goer, is somehow not expected to go off . . .
Even though Tom Cruise is a great actor for this kind of role . . . "it ain't gonna happen!"
Behind every technological safeguard that we may develop ... there is a human who finds himself "in a position of trust" that he may either respect ... or ... exploit.
And, any "technological" safeguard which neglects to consider this human factor is: "null and void."
Last edited by sundialsvcs; 07-06-2015 at 03:23 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.