As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

[Espionage] US Government Hacked: 4 million federal employees' data breached

2

Posts

  • NSDFRandNSDFRand FloridaRegistered User regular
    milski wrote: »
    Defense is way harder than attacking, too, right? There was a story like six months ago about evidence for a U.S. Government hacking team doing some pretty amazing stuff. I'd be surprised if we didn't have ten or twenty world-class guys, but they weren't protecting the personnel agency systems at the department of the interior

    This is actually true for pretty much everything, not just hacking.

    Like, Secret Service redteams pretty much always "win" in terms of exploiting a security flaw to "kill" the president unless the blue team is given an advantage.

    In more directly related news, CCDC (a college level cyber-defense contest) is basically scored by who gets fucked up by the redteam the least. It isn't possible to secure systems well enough to prevent hacking by dedicated people even before social engineering comes into play, and social engineering makes everything even harder.

    Speaking of this, I found out the university I'm transferring to this fall has a cyber defense club that participates in this. I've already planned to go check them out just to learn from them.

  • milskimilski Poyo! Registered User regular
    CCDC is apparently a lot of fun, but I never participated in it. It's pretty ubiquitous at engineering schools as far as I know.

    I ate an engineer
  • NSDFRandNSDFRand FloridaRegistered User regular
    milski wrote: »
    CCDC is apparently a lot of fun, but I never participated in it. It's pretty ubiquitous at engineering schools as far as I know.

    It seemed like a pretty good deal to be involved with. The club apparently also participated in a similar competition at Microsoft HQ.

    I'm not a programmer or cyber defense/warfare person, but I'm interested enough (and think it is important enough) to go to the people that are and know better and learn what I can from them.

  • joshofalltradesjoshofalltrades Class Traitor Smoke-filled roomRegistered User regular
    The world is increasingly a connected one. They don't call this the Information Age for nothing. Right now I think a lot of people are secure in knowing that their systems are basically safe through statistics. Obviously any business worth its salt should invest heavily in defense against intrusion, and governments triply so. Over time, I think the statistical shield (or the illusion of one) will probably dissolve and everybody will need to know at least some basic security measures to keep their information safe.

    I wish we were teaching our high school kids this stuff as a matter of course. Get ahead of it. But we don't even do a good job of teaching our kids about how to manage money.

  • WarcryWarcry I'm getting my shit pushed in here! AustraliaRegistered User regular
    It seems to me that the most prudent way to avoid damaging leaks is to have all your information stored on a physically isolated server.

  • programjunkieprogramjunkie Registered User regular
    edited June 2015
    Kaputa wrote: »
    I'll likely write a longer post, but honestly, without offense, we can't have cyber defense. China isn't even especially good at cyber warfare. They just walk up to an alarmed window in the middle of broad daylight, smash it, take whatever they can get, and when the cops show up, they scream, "Do you know who my dad is?!?" and just leave without consequence.

    The US has been a willing victim for years for cyber espionage.
    Are you advocating that the US escalate offensive cyber warfare on China?

    I favor escalation, though we've done so little that an executive level public condemnation that names names would already be like going to DEFCON 1 in comparison.

    The alternative is to just give logins and passwords to the Chinese military so as to minimize any inadvertent disruption, because a lack of escalation is exactly the same as unconditional surrender. We've already fucked up to such an incredible extent that it will take decades to recover.

    programjunkie on
  • RchanenRchanen Registered User regular
    edited June 2015
    Kaputa wrote: »
    I'll likely write a longer post, but honestly, without offense, we can't have cyber defense. China isn't even especially good at cyber warfare. They just walk up to an alarmed window in the middle of broad daylight, smash it, take whatever they can get, and when the cops show up, they scream, "Do you know who my dad is?!?" and just leave without consequence.

    The US has been a willing victim for years for cyber espionage.
    Are you advocating that the US escalate offensive cyber warfare on China?

    I favor escalation, though we've done so little that an executive level public condemnation that names names would already be like going to DEFCON 1 in comparison.

    The alternative is to just give logins and passwords to the Chinese military so as to minimize any inadvertent disruption, because a lack of escalation is exactly the same as unconditional surrender. We've already fucked up to such an incredible extent that it will take decades to recover.

    I should point out it is likely that we are hacking China to a prolific extent. It is just a difference in government reporting. China's current government is trying to paint itself as strong, powerful and on an inevitable rise to not just regional power status (which it already is) but to Hyperpower status. Admitting that the US govt is rocking your boxers via espionage does not paint that picture.

    The US govt on the over hand lets people know every time it fucks up and has no particular motivation to say "Oh yeah we've hacked Chinese databases. Shit I know the middle names of every last one of Xi Jinping's mistresses as well as his pet names for them."

    Basically I have said it before and I will say it again, if the US hacks you, you don't find out about it right away. Kasparov breaks the news about a decade later.

    Rchanen on
  • QuidQuid Definitely not a banana Registered User regular
    I'm sorry Rchanen but you're wrong.

    The Chinese don't have middle names.
    :mrgreen:

  • PhillisherePhillishere Registered User regular
    This is also the reason typewriters are making a big comeback. Hard to hack a locked file cabinet from China.

  • Kipling217Kipling217 Registered User regular
    Rchanen wrote: »
    Kaputa wrote: »
    I'll likely write a longer post, but honestly, without offense, we can't have cyber defense. China isn't even especially good at cyber warfare. They just walk up to an alarmed window in the middle of broad daylight, smash it, take whatever they can get, and when the cops show up, they scream, "Do you know who my dad is?!?" and just leave without consequence.

    The US has been a willing victim for years for cyber espionage.
    Are you advocating that the US escalate offensive cyber warfare on China?

    I favor escalation, though we've done so little that an executive level public condemnation that names names would already be like going to DEFCON 1 in comparison.

    The alternative is to just give logins and passwords to the Chinese military so as to minimize any inadvertent disruption, because a lack of escalation is exactly the same as unconditional surrender. We've already fucked up to such an incredible extent that it will take decades to recover.

    I should point out it is likely that we are hacking China to a prolific extent. It is just a difference in government reporting. China's current government is trying to paint itself as strong, powerful and on an inevitable rise to not just regional power status (which it already is) but to Hyperpower status. Admitting that the US govt is rocking your boxers via espionage does not paint that picture.

    The US govt on the over hand lets people know every time it fucks up and has no particular motivation to say "Oh yeah we've hacked Chinese databases. Shit I know the middle names of every last one of Xi Jinping's mistresses as well as his pet names for them."

    Basically I have said it before and I will say it again, if the US hacks you, you don't find out about it right away. Kasparov breaks the news about a decade later.

    Remember the Stuxnet virus that crippled the Iranian Nuclear program? Everybody said it was the Israelis, but it was probably the US. The CIA did something similar with the Soviets in the 80s, letting them steal bugged software for their oil pumping stations. Then when it had been installed in their Siberian oil pipeline it went amuck and broke it in several key places. Leaving the soviets with huge financial and oil losses.

    The US is if the rumors are correct in the same position that the Allies where in WW2 when they cracked the axis codes. They can't use all the things they know because that will tip of their enemies that their communications are hacked.

    So the idea that the America is playing defense in cyber warfare is... exactly what the US wants you to believe... and nowhere near the truth.

    To illustrate: Putin, manly man that he is never uses a cell phone to discus important business, he has special harden landline phones to his cronies he uses instead.

    The sky was full of stars, every star an exploding ship. One of ours.
  • redxredx I(x)=2(x)+1 whole numbersRegistered User regular
    edited June 2015
    Warcry wrote: »
    It seems to me that the most prudent way to avoid damaging leaks is to have all your information stored on a physically isolated server.

    Uh...

    Yeah

    That also makes it hard to do payroll.

    Security is always a trade off with utility and cost and annoying the hell out of users firmly on the other side of the equation.




    Edit: who said stuxnet was isreal?

    redx on
    They moistly come out at night, moistly.
  • QuidQuid Definitely not a banana Registered User regular
    redx wrote: »
    Warcry wrote: »
    It seems to me that the most prudent way to avoid damaging leaks is to have all your information stored on a physically isolated server.

    Uh...

    Yeah

    That also makes it hard to do payroll.

    Security is always a trade off with utility and cost and annoying the hell out of users firmly on the other side of the equation.




    Edit: who said stuxnet was isreal?

    Yeah it's all fine and good to say you'll keep everyone's info on an isolated server right up until you need to send that info to various banks.

  • zagdrobzagdrob Registered User regular
    Yeah, if you think the US is just sitting back and taking it in cyber warfare I have a bridge to sell you. You don't advertise your successes, but the little shreds we see (Equation Group) should give you an idea just how ridiculously advanced our cyber intelligence gathering capabilities are. Or how 'nobody' knows who was behind Stuxnet or the internet just not working in North Korea after the Sony hacks.

    We (with a nod to the Brits) invented modern computing and information theory. We invented cyber warfare. Everyone uses hardware that was developed in the US. Everyone uses an OS that was developed in the US. Everyone uses browsers that were developed in the US. If we have that much talent and knowledge along with that much direct access, I would be quite shocked if the US was that far behind in what's been identified as one of the five primary domains as warfare and explicitly stated our goal is total superiority in that domain.

    Defense is hard and expensive. Just like in the physical world, it's nearly impossible to make something truly secure against someone who really wants into it. Much less truly secure and user friendly. Locking your doors won't stop a burglar, neither will installing a burglar alarm, but it might get them to go to the next house. You can do everything you want, down to air-gapping your entire infrastructure, but even that's not 100% - just ask Iran. What China did here was a smash-and-grab, but it's not some existential threat to national security.

  • joshofalltradesjoshofalltrades Class Traitor Smoke-filled roomRegistered User regular
    If this latest attack really was China, the danger is no longer a digital one. Having information on federal employees, some of whom may have some degree of power over or access to information on some other target that wasn't in the database, means they have a potentially wider gap in the human element than before with which to infiltrate government workings.

    Of course, we don't know all the details. We don't know the types of people who had their information leaked, or what their security clearance is, if any. We don't know who committee the hack. Example worst case: this was China, and they have enough data on somebody with a high level of security clearance to make it look as if that person is a traitor, and use that leverage to force that person to actually betray the US.

    This hack is a problem not just because it doesn't inspire confidence in the USA's ability to secure their data. I doubt anyone who was willing and able to infiltrate a government database is going to be using the information gained to prank call a DOT employee at 2 AM.

  • programjunkieprogramjunkie Registered User regular
    Rchanen wrote: »
    Kaputa wrote: »
    I'll likely write a longer post, but honestly, without offense, we can't have cyber defense. China isn't even especially good at cyber warfare. They just walk up to an alarmed window in the middle of broad daylight, smash it, take whatever they can get, and when the cops show up, they scream, "Do you know who my dad is?!?" and just leave without consequence.

    The US has been a willing victim for years for cyber espionage.
    Are you advocating that the US escalate offensive cyber warfare on China?

    I favor escalation, though we've done so little that an executive level public condemnation that names names would already be like going to DEFCON 1 in comparison.

    The alternative is to just give logins and passwords to the Chinese military so as to minimize any inadvertent disruption, because a lack of escalation is exactly the same as unconditional surrender. We've already fucked up to such an incredible extent that it will take decades to recover.

    I should point out it is likely that we are hacking China to a prolific extent. It is just a difference in government reporting. China's current government is trying to paint itself as strong, powerful and on an inevitable rise to not just regional power status (which it already is) but to Hyperpower status. Admitting that the US govt is rocking your boxers via espionage does not paint that picture.

    The US govt on the over hand lets people know every time it fucks up and has no particular motivation to say "Oh yeah we've hacked Chinese databases. Shit I know the middle names of every last one of Xi Jinping's mistresses as well as his pet names for them."

    Basically I have said it before and I will say it again, if the US hacks you, you don't find out about it right away. Kasparov breaks the news about a decade later.

    The problem is this mutual hacking is bad for a couple reasons:

    1. The US has more to lose. The United States maintains an economic and military edge via technological development, and we stand to lose a lot from it being stolen. The reverse, while it will cover standard espionage stuff, won't give us nearly as much value. This goes doubly for a period of peace or cold war, where stealing tech is valuable regardless, but where more military oriented information is only useful if you engage in a military conflict.

    2. As an American, I am fully and unashamedly biased that given a mutually exclusive choice between a scenario good for the US or good for China, I'd rather the former. And for that matter, I'd go so far as to suggest most of the world ought feel similarly.
    This is also the reason typewriters are making a big comeback. Hard to hack a locked file cabinet from China.

    Typewriters are a histrionic reaction to hacking. Simply having a closed network is more than sufficient, with the caveat you need good physical security either way. And honestly, if you can do your job without a computer or modern communications equipment, there's a decent chance it isn't all that important.

  • AngelHedgieAngelHedgie Registered User regular
    Of course, we don't know all the details. We don't know the types of people who had their information leaked, or what their security clearance is, if any. We don't know who committee the hack. Example worst case: this was China, and they have enough data on somebody with a high level of security clearance to make it look as if that person is a traitor, and use that leverage to force that person to actually betray the US.

    Considering the story of the most highly placed double agent for the Soviets, that method is both overkill and not really necessary.

    XBL: Nox Aeternum / PSN: NoxAeternum / NN:NoxAeternum / Steam: noxaeternum
  • joshofalltradesjoshofalltrades Class Traitor Smoke-filled roomRegistered User regular
    Of course, we don't know all the details. We don't know the types of people who had their information leaked, or what their security clearance is, if any. We don't know who committee the hack. Example worst case: this was China, and they have enough data on somebody with a high level of security clearance to make it look as if that person is a traitor, and use that leverage to force that person to actually betray the US.

    Considering the story of the most highly placed double agent for the Soviets, that method is both overkill and not really necessary.

    Yeah, true. I was just trying to illustrate that the info leak actually is potentially a threat to national security.

    Since I'm not actually a spy (which is exactly the sort of thing a real spy would say) I wasn't really trying to go into some optimized method of infiltration.

  • ReznikReznik Registered User regular
    This is also the reason typewriters are making a big comeback. Hard to hack a locked file cabinet from China.

    Typewriters are a histrionic reaction to hacking. Simply having a closed network is more than sufficient, with the caveat you need good physical security either way. And honestly, if you can do your job without a computer or modern communications equipment, there's a decent chance it isn't all that important.

    Typewriters can be "hacked" too
    The Gunman Project

    During 1976, the KGB managed to install miniaturised eavesdropping equipment and transmitters inside 16 IBM Selectric Typewriters used by staff at the US embassy in Moscow and consulate in Leningrad.

    These copied everything that was typed into the machines and then transmitted the data in bursts to KGB engineers in vans nearby.

    The bursts were too short to be detected by the Us counter surveillance equipment and were set n the same frequency band as the Soviet television stations.

    For eight years the Soviet spy agency was able to steal American secrets from inside the heart of the US embassy.

    The bugs were only discovered in 1984 by an operation conducted by the National Security Agency when it sent a team of experts to scour the embassy for bugs.

    Over 100 days every piece of electronic equipment, communications device, printers and computers were replaced while the old equipment was taken back to the US to be X-rayed.

    Some of the bugs operated on batteries and others used mains electricity.

    The bugs were also remote controlled so they could be turned off when inspection teams were in the area.

    An NSA report that was later released concluded that the Soviets had been able to read every single document written on these typewriters.

    They never discovered how the bugs were installed, but suspected they were installed by the KGB when the typewriters were passing through Soviet customs.

    The linked NSA report is a pretty neat read.

    Do... Re.... Mi... Ti... La...
    Do... Re... Mi... So... Fa.... Do... Re.... Do...
    Forget it...
  • joshofalltradesjoshofalltrades Class Traitor Smoke-filled roomRegistered User regular
    edited June 2015
    They never discovered how the bugs were installed, but suspected they were installed by the KGB when the typewriters were passing through Soviet customs.

    youdontsay.jpg

    joshofalltrades on
  • AngelHedgieAngelHedgie Registered User regular
    XBL: Nox Aeternum / PSN: NoxAeternum / NN:NoxAeternum / Steam: noxaeternum
  • KrieghundKrieghund Registered User regular
    On my phone, so I can't go to the link, but if that is the Ars story, it makes me think it's more Israel than NSA.

  • PolaritiePolaritie Sleepy Registered User regular

    That article says its not (or doesnt look like) Equation Group.

    Either way, it strikes me as a bad target choice to go after one of the biggest names in computer security.

    Steam: Polaritie
    3DS: 0473-8507-2652
    Switch: SW-5185-4991-5118
    PSN: AbEntropy
  • mcdermottmcdermott Registered User regular
    Regarding military recruiting of technical fields, there are ways to staff positions like that outside the normal channels. We already do it with medical fields, pretty sure we do it on the legal side, and there are direct commissioning programs for engineering as well. No reason you couldn't have a similar path for this, where somebody with the proper credentials or experience goes through a crash course on "military" and secures a temporary or permanent commission. And that's aside from the Navy's nuke program, which (mostly) recruits officers specifically from technical fields.

    That said, I'm not sure emphasis on uniformed folks is the best route anyway. Once you put on the uniform, it comes with a LOT of expectations and restrictions, which is going to turn a lot of your best talent away. I mean the drug testing thing is already an issue on the civilian side, you're pushing away a lot of potentially talented people especially in states where it's legal-ish. The uniform just ratchets that up to ten, because now your performance eval as a cyber security expert is influenced strongly by how fast you can run a two-mile.

    This is not a salient qualification for that position.

    Much better handled on the civilian side, I'd say.

  • Dark Raven XDark Raven X Laugh hard, run fast, be kindRegistered User regular
    Polaritie wrote: »

    That article says its not (or doesnt look like) Equation Group.

    Either way, it strikes me as a bad target choice to go after one of the biggest names in computer security.

    Nah, sounds like a challenge! ;D

    Is Kapersky even a big ol' security thing? I thought it was just like, a filter for your computer to stop you downloading anything off a blacklist? Really basic stuff, not some system for resisting a hack.

    Oh brilliant
  • ReznikReznik Registered User regular
    Polaritie wrote: »

    That article says its not (or doesnt look like) Equation Group.

    Either way, it strikes me as a bad target choice to go after one of the biggest names in computer security.

    Nah, sounds like a challenge! ;D

    Is Kapersky even a big ol' security thing? I thought it was just like, a filter for your computer to stop you downloading anything off a blacklist? Really basic stuff, not some system for resisting a hack.

    Kaspersky as a company does a ton of research/analysis into security/malware/etc. They're not just antivirus developers. I believe they were the ones who discovered a ton of compromised ATMs in Europe.

    Do... Re.... Mi... Ti... La...
    Do... Re... Mi... So... Fa.... Do... Re.... Do...
    Forget it...
  • PolaritiePolaritie Sleepy Registered User regular
    Kaspersky has a very good reputation for reverse engineering malware. The best part is that they then publish the results of the work so everyone else can take countermeasures (or buy Kaspersky products and let them handle it). It's basically delivering your new virus to the CDC. You may do some damage, but...

    Steam: Polaritie
    3DS: 0473-8507-2652
    Switch: SW-5185-4991-5118
    PSN: AbEntropy
  • AngelHedgieAngelHedgie Registered User regular
    Polaritie wrote: »
    Kaspersky has a very good reputation for reverse engineering malware. The best part is that they then publish the results of the work so everyone else can take countermeasures (or buy Kaspersky products and let them handle it). It's basically delivering your new virus to the CDC. You may do some damage, but...

    To be fair, there are questions about the firm's ties to the Russian government (to be even more fair, said questions apply to pretty much any major Russian firm.)

    The point of the story, though, is that it illustrates where the bleeding edge is for the West (and how firmly in "here there be dragons" territory it is.) These are some very elegant attacks, and their sophistication is really fucking scary.

    XBL: Nox Aeternum / PSN: NoxAeternum / NN:NoxAeternum / Steam: noxaeternum
  • PhyphorPhyphor Building Planet Busters Tasting FruitRegistered User regular
    edited June 2015
    Ehh, a RAM-only network propagated virus isn't all that novel. I do like using domain controllers to auto-install it though

    Phyphor on
  • AngelHedgieAngelHedgie Registered User regular
    One person made a great point - if a Hollywood scriptwriter put in a "we need to reboot them ALL at once!" scene, we'd call it hackneyed.

    XBL: Nox Aeternum / PSN: NoxAeternum / NN:NoxAeternum / Steam: noxaeternum
  • ZythonZython Registered User regular
    And I just recently gave the feds my background info for my new job.

    Fuck.

    Switch: SW-3245-5421-8042 | 3DS Friend Code: 4854-6465-0299 | PSN: Zaithon
    Steam: pazython
  • HefflingHeffling No Pic EverRegistered User regular
    Zython wrote: »
    And I just recently gave the feds my background info for my new job.

    Fuck.

    You're acting like they don't have it already.

  • joshofalltradesjoshofalltrades Class Traitor Smoke-filled roomRegistered User regular
    edited June 2015
    Zython wrote: »
    And I just recently gave the feds my background info for my new job.

    Fuck.

    When? If it was after the breach, you're probably okay. Keep in mind they took a while to reveal that the breach occurred even after they discovered it existed.

    But I mean, I would understand if you hollered to some people about keeping your info private.

    joshofalltrades on
  • QuidQuid Definitely not a banana Registered User regular
    Heffling wrote: »
    Zython wrote: »
    And I just recently gave the feds my background info for my new job.

    Fuck.

    You're acting like they don't have it already.

    I very, very much doubt China has or even really gives a damn about the amount of information an SF-86 has in regards to the average person without a clearance. The form is massive and extremely detailed. To the point that most people themselves don't know all the info and have to go digging it up and making phone calls to various places.

  • HefflingHeffling No Pic EverRegistered User regular
    I disagree, because the weak link in our cyber security system is the human element. Having all the information you need to impersonate a federal employee, even without security clearance, is valuable.

  • QuidQuid Definitely not a banana Registered User regular
    Heffling wrote: »
    I disagree, because the weak link in our cyber security system is the human element. Having all the information you need to impersonate a federal employee, even without security clearance, is valuable.

    SF-86s are extensive information forms filled out by people applying for a clearance. Something the vast majority of the population isn't going to ever even try to do.

    Zython's concern is that they just submitted one. And if they hadn't this wouldn't have been an issue. Because there's no way China is tracking down all of that information for every single American ever.

  • mcdermottmcdermott Registered User regular
    Yeah, the idea that the SF-86 data is leaked is pretty horrifying. It's not so much even that the Chinese government has it, it's that they can now sell it (or just give it) to whoever. That's a breach much worse than your SSN, because unlike your SSN that info can't be changed. Like Quid said, most people can't complete that form on the spot, that's how much and how detailed the info is. The disruptive power of putting that info out into the wild is pretty significant.

    Not to mention the bits on there like every job you've been fired from (and an explanation of why), past criminal history and drug use, and psychiatric history. Just imagine all that data being thrown up on a searchable site, just to fuck with people.

  • programjunkieprogramjunkie Registered User regular
    mcdermott wrote: »
    Yeah, the idea that the SF-86 data is leaked is pretty horrifying. It's not so much even that the Chinese government has it, it's that they can now sell it (or just give it) to whoever. That's a breach much worse than your SSN, because unlike your SSN that info can't be changed. Like Quid said, most people can't complete that form on the spot, that's how much and how detailed the info is. The disruptive power of putting that info out into the wild is pretty significant.

    Not to mention the bits on there like every job you've been fired from (and an explanation of why), past criminal history and drug use, and psychiatric history. Just imagine all that data being thrown up on a searchable site, just to fuck with people.

    If I were them, I wouldn't sell that information for a billion dollars. If you sell it, it loses a lot of its analytical power, because enough proliferation will force us to confront it.

    The real danger is high powered analysis. China right now has an intel trove of incomparable value.

  • Captain MarcusCaptain Marcus now arrives the hour of actionRegistered User regular
    I've been gnashing my teeth throughout this whole thing. Not a peep from our government- not an announcement that we're creating highly-paid cyberwarfare positions or kicking out the PRC's Confucius Institute fronts or what have you. Just silence.

    Anyways, espionage thread, what are your thoughts on how we can prevent this from happening again? I read Ira Winkler's Spies Among Us last summer, and although his advice is mostly for businesses and wouldn't have helped against hacking it is amazing how many companies don't take basic precautions to prevent IP theft. Password-protected screen savers. Not holding the door open for other people if there's a badge swipe to get in. Overwriting hard drives and then smashing them before they go in the dumpster. Basic things, but it's like no one does them.

  • NSDFRandNSDFRand FloridaRegistered User regular
    edited June 2015
    Anyways, espionage thread, what are your thoughts on how we can prevent this from happening again?

    It's a difficult CI problem for the U.S.

    If we were able to hypothetically eliminate electronic intrusion completely, we'd still be vulnerable to on site exploitation and HUMINT collections. And not all sensitive tech, economic, and personnel information is hidden behind info security measures.

    There are two reasons for this:

    1. Much of the information that Chinese intelligence has access to is sensitive, but it's not necessarily under any kind of info security measures (classification, compartmentalized) because it needs to be accessed by civilian researchers and research students in civilian research schools. And like the issue with classifying sensitive law enforcement intelligence, there are just too many people cycling through too often for an SF 86 for a TS/SCI to be done on every single one of them. And that's ignoring international students.

    2. Our society (the U.S.), even with friction between ethnic groups, is very heterogeneous compared to a nation like China. A Chinese national or a Chinese American business man/woman or government employee/contractor would not necessarily stand out here. I think you'd be hard pressed to find many American business men/women working in China regularly who aren't being surveilled and collected on, and I don't imagine that the Chinese intelligence services are openly recruiting Americans to work in different positions throughout their organizations.


    This presents a major defense problem, and an additional offensive problem with issue 2.

    NSDFRand on
  • PhyphorPhyphor Building Planet Busters Tasting FruitRegistered User regular
    edited June 2015
    I've been gnashing my teeth throughout this whole thing. Not a peep from our government- not an announcement that we're creating highly-paid cyberwarfare positions or kicking out the PRC's Confucius Institute fronts or what have you. Just silence.

    What would be the point? It would be theatre. The positions already exist but are probably themselves a secret, and in any case have problems being filled for reasons covered above, and even then the pay probably won't match private sector
    Anyways, espionage thread, what are your thoughts on how we can prevent this from happening again? I read Ira Winkler's Spies Among Us last summer, and although his advice is mostly for businesses and wouldn't have helped against hacking it is amazing how many companies don't take basic precautions to prevent IP theft. Password-protected screen savers. Not holding the door open for other people if there's a badge swipe to get in. Overwriting hard drives and then smashing them before they go in the dumpster. Basic things, but it's like no one does them.

    You can't, not really. Holding doors open if they have a badge is just a thing that's done. Not locking your computer happens, and in any case harddrives can be removed very quickly. Or you can masquerade as IT and just remove whole machines. Most badges are not really that secure anyway and can be duped

    Phyphor on
Sign In or Register to comment.