Club PA 2.0 has arrived! If you'd like to access some extra PA content and help support the forums, check it out at patreon.com/ClubPA
The image size limit has been raised to 1mb! Anything larger than that should be linked to. This is a HARD limit, please do not abuse it.
Our new Indie Games subforum is now open for business in G&T. Go and check it out, you might land a code for a free game. If you're developing an indie game and want to post about it, follow these directions. If you don't, he'll break your legs! Hahaha! Seriously though.
Our rules have been updated and given their own forum. Go and look at them! They are nice, and there may be new ones that you didn't know about! Hooray for rules! Hooray for The System! Hooray for Conforming!

[Espionage] US Government Hacked: 4 million federal employees' data breached

13»

Posts

  • joshofalltradesjoshofalltrades 地獄のようにかわいい あなたは嫉妬深いかRegistered User regular
    How prolific are biometrics, and are they any good at preventing intrusion? You always see the spy in the movies just knock the guy whose eyes unlock the door unconscious and drag him over, but would that even work in real life?

    ジェイムズ・ブラウンの好きな色は何ですか?
    青!
  • QuidQuid I don't... what... hnnng Registered User regular
    I don't think anyone with knowledge of government security systems is going to talk about how easy or how effective something is at getting around those systems.

    At least, I would hope not.

    KrieghundjmcdonaldHefflingFencingsaxIncenjucarRchanen
  • BSoBBSoB Registered User regular
    I got a letter this week from the department of homeland security saying my info was compromised.

    My name was (very) wrong in the address label.

    I wonder if the Chinese government has more accurate records of me than our own.


    Heffling
  • zagdrobzagdrob Registered User regular
    edited June 2015
    How prolific are biometrics, and are they any good at preventing intrusion? You always see the spy in the movies just knock the guy whose eyes unlock the door unconscious and drag him over, but would that even work in real life?

    One of the big things is that there's lots and lots of different kinds of security and lots of different actors.

    Let's take physical access for example. Biometrics are generally going to be pretty effective provided they work right and are properly configured. Some combination of keycard + pin is probably going to be fairly effective as well. Timed access (i.e. you can't get in before 7:30 AM, after 5:30, or on the weekends) will prevent some unwanted access, as will limited points of entry (especially if those limited points of entry are human-monitored).

    A system where you must swipe out each time before you can swipe back in, and multiple layers of security (individual rooms / areas keycoded, etc) will help to improve the physical security of the site.

    All of that comes at a cost though. Hiring people to watch the doors, continually auditing access logs, or even having one or two points of access requires planning and is a pain in the ass. More secure systems are normally more difficult to work with, and if you get in the way of people easily doing their job, they will just find workarounds. The best example is probably systems that forbid password reuse, require frequent changes, and have stringent password policies. Make it too tough, and you'll end up with a post-it note with the passwords on it in every desk.

    Also, that only prevents on-premises physical access. If the dumpster out back has unshredded documents, or if you resell your old computer hardware without removing / wiping the HDD, all that money and irritation is pointless. A stringent password policy doesn't do much if someone can reset their password by naming their favorite color, city they were born in, or mom's maiden name - information that's easy to find or make an educated guess on.

    Electronic security makes things even more difficult. To make information available across sites, you almost certainly are exposing some part of your systems to the public internet. All the firewalls and access gateways and VPNs in the world don't do you much good when someone finds a zero-day exploit, or your IT people can't immediately implement fixes to known issues because of your change management processes. Sometimes you can't update / upgrade in a timely manner, because something isn't compatible and you can't conduct business otherwise.

    And - even if you address these and a hundred other issues, none of this helps when your data entry clerk or cleaning crew are working for the Chinese government. Having the best biometric system in the world isn't going to protect you from someone like Snowden. Security is about addressing the worst threats, and mitigating as many other threats as possible, you'll never actually achieve perfect security. Trying to achieve perfect security will just keep people from being able to do their jobs.

    Quid wrote: »
    I don't think anyone with knowledge of government security systems is going to talk about how easy or how effective something is at getting around those systems.

    At least, I would hope not.

    That's the thing. Even if the CIA / NSA / whomever has the best security on the planet, it doesn't do them a damn bit of good when the same data and presentations are available on the Booz-Hamilton's SharePoint server.

    zagdrob on
    GethAngelHedgiejoshofalltradesHefflingjmcdonaldNocrenCaptain Marcusshrykeoverride367Rchanen
  • shrykeshryke Member of the Beast Registered User regular
    Quid wrote: »
    I don't think anyone with knowledge of government security systems is going to talk about how easy or how effective something is at getting around those systems.

    At least, I would hope not.

    Well, maybe not.

    Someone posted this in Chat and I didn't see it here so I thought I'd repost:
    http://www.businessinsider.com/the-us-agency-plundered-by-chinese-hackers-made-one-of-the-dumbest-security-moves-possible-2015-6
    The massive breach of OPM's database — made public by the Obama administration this month — prompted speculation over why the agency hadn't encrypted its systems, which contain the sensitive security clearance and background information for intelligence and military personnel.

    Encryption, however, according to Ars, would not have helped in this case because administrators responsible for managing these records had root access to the system, Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified yesterday at a two-hour hearing before the House Oversight and Government Reform Committee.

    And it turns out that a systems administrator responsible for handling the agency's records "was in Argentina and his co-worker was physically located in the [People's Republic of China]," a consultant who worked with an OPM-contracted company told ArsTechnica.

    "Both had direct access to every row of data in every database: they were root."

    Experts and politicians are now lambasting the US government for the way agency handled IT security.

  • PolaritiePolaritie Sleepy Registered User regular
    I... what?

    It's totally possible for someone to have root access to a system but be unable to read anything due to encryption. It's fucking TRIVIAL.

    Like, who the fuck is running the IT over there?

    Steam: Polaritie
    3DS: 0473-8507-2652
    Switch: SW-5185-4991-5118
    PSN: AbEntropy
    zagdrob
  • DaedalusDaedalus Registered User regular
    Polaritie wrote: »
    I... what?

    It's totally possible for someone to have root access to a system but be unable to read anything due to encryption. It's fucking TRIVIAL.

    Like, who the fuck is running the IT over there?

    In most POSIX-type systems, (those without some mandatory access control system like SELinux or similar) the root user has access to the memory space of normal users' processes, so he could grab the key when the authorized user decrypted it.

  • FencingsaxFencingsax It is difficult to get a man to understand, when his salary depends upon his not understanding GNU Terry PratchettRegistered User regular
    Daedalus wrote: »
    Polaritie wrote: »
    I... what?

    It's totally possible for someone to have root access to a system but be unable to read anything due to encryption. It's fucking TRIVIAL.

    Like, who the fuck is running the IT over there?

    In most POSIX-type systems, (those without some mandatory access control system like SELinux or similar) the root user has access to the memory space of normal users' processes, so he could grab the key when the authorized user decrypted it.

    The answer to the question, though is "the lowest bidder". Our contracting system is fucked up.

    torchlight-sig-80.jpg
    Captain MarcusRchanen
  • PhyphorPhyphor Building Planet Busters Tasting FruitRegistered User regular
    edited June 2015
    Security is one of those things where if it's done properly, it doesn't look like anything is being done at all, so the benefits are all invisible but the cost is very real. And hey, your system might not get hacked anyway!

    Phyphor on
    Magic Box
    Academician Prokhor "Phyphor" Zakharov, Chief Scientist of China, Provost of the University of Planet - SE++ Megagame
    DaedalusCantido
Sign In or Register to comment.